Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Deletion Protection for Network Firewalls

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls in order to protect the firewalls from being accidentally deleted. By default, Deletion Protection is disabled for VPC network firewalls.

Reliability

AWS Network Firewall is a stateful, managed network firewall and intrusion detection service that enables you to inspect and filter traffic to, from, or between your Virtual Private Clouds (VPCs). With AWS Network Firewall it's easy to deploy network protection (including protection from common network threats) for your Amazon VPC networks. With Deletion Protection safety feature enabled, you have the guarantee that your network firewalls cannot be accidentally deleted and make sure that your Amazon Virtual Private Clouds remain protected by the associated firewalls.


Audit

To determine if your Amazon VPC network firewalls are protected against accidental deletion, perform the following actions:

Note: Inspecting VPC network firewalls for deletion protection using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the IDs of all the Amazon Virtual Private Cloud (VPCs) available in the selected AWS cloud region:

aws ec2 describe-vpcs
  --region us-east-1
  --output table
  --query 'Vpcs[*].VpcId'

02 The command output should return the requested VPC identifiers (IDs):

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-abcdabcd  |
|  vpc-abcd1234  |
|  vpc-1234abcd  |
+----------------+

03 Run list-firewalls command (OSX/Linux/UNIX) using the ID of the Amazon VPC that you want to examine as the identifier parameter and custom query filters to describe the name of each network firewall associated with the selected VPC:

aws network-firewall list-firewalls
  --region us-east-1
  --vpc-ids vpc-abcdabcd
  --query 'Firewalls[*].FirewallName'

04 The command output should return an array with the requested resource name(s):

[
  "cc-prod-vpc-network-firewall",
  "cc-itemized-network-firewall"
]

05 Run describe-firewall command (OSX/Linux/UNIX) using the name of the VPC network firewall that you want to examine as the identifier parameter and custom query filters to describe the Deletion Protection feature status available for the selected firewall resource:

aws network-firewall describe-firewall
  --region us-east-1
  --firewall-name cc-prod-vpc-network-firewall
  --query 'Firewall.DeleteProtection'

06 The command output should return the requested configuration status (true for enabled, false for disabled):

false

If the describe-firewall command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon VPC network firewall.

07 Repeat steps no. 5 and 6 for each firewall created for the selected Virtual Private Cloud (VPC).

08 Repeat steps no. 3 – 7 for each Amazon VPC available within the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To enable the Deletion Protection safety feature for your Amazon Virtual Private Cloud (VPC) network firewalls, perform the following actions:

Note: Enabling deletion protection for VPC network firewalls using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run update-firewall-delete-protection command (OSX/Linux/UNIX) using the name of the Amazon VPC network firewall that you want to reconfigure as the identifier parameter, to enable the Deletion Protection feature for the selected network firewall and protect the cloud resource from accidental deletion:

aws network-firewall update-firewall-delete-protection
  --region us-east-1
  --firewall-name cc-prod-vpc-network-firewall
  --delete-protection

02 The command output should return the metadata available for the modified VPC network firewall:

{
  "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/cc-prod-vpc-network-firewall",
  "FirewallName": "cc-prod-vpc-network-firewall",
  "DeleteProtection": true,
  "UpdateToken": "1234abcd-1234-abcd-1234-abcd1234abcd"
}

03 Repeat steps no. 1 and 2 for each network firewall associated with your Virtual Private Cloud (VPC).

04 Repeat steps no. 1 – 3 for each Amazon VPC available in the selected AWS cloud region.

05 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Feb 6, 2021