Ensure that AWS Network Firewall service is used to deploy essential network protection for your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall is a stateful, managed network firewall and intrusion detection service that enables you to inspect and filter traffic to, from, or between your Amazon VPCs.
You can manage AWS Network Firewall with the following main components:
Firewall – a network firewall connects the Amazon VPC that you want to protect to the protection behavior that is defined in a firewall policy. For each Availability Zone (AZ) where you want protection, you provide the network firewall with a public subnet that's dedicated to the firewall endpoint. To use the network firewall, you simply update the VPC route tables to send incoming and outgoing traffic through the firewall endpoints.
Firewall policy – a firewall policy defines the behavior of the network firewall inside a collection of stateless and stateful rule groups. You can associate each network firewall with only one firewall policy, but you can use a firewall policy for more than one firewall.
Rule group – a rule group represents a collection of stateless or stateful rules that define how to inspect and handle network traffic. The rules configuration includes 5-tuple, domain name, and Suricata-based filtering. Suricata is an open-source network IPS that includes a standard rule-based language for traffic inspection.
This rule can help you work with the AWS Well-Architected Framework.
With AWS Network Firewall it's easy to deploy network protection (including protection from common network threats) for your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall's stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce firewall policies such as preventing your VPCs from accessing domains using unauthorized protocols. AWS Network Firewall's intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. Also, AWS Network Firewall provides web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names (FQDNs). Ultimately, AWS Network Firewall allows you to control your Virtual Private Cloud (VPC) traffic in order to stop possible data loss, help meet compliance requirements, and secure Amazon Direct Connect and VPN connections.
Audit
To determine if AWS Network Firewall service is enabled for your Amazon Virtual Private Clouds (VPCs), perform the following actions:
Remediation / Resolution
AWS Network Firewall provides network traffic filtering protection for your Virtual Private Cloud (VPCs). To enable and configure AWS Network Firewall for your Amazon VPCs, perform the following actions:
References
- AWS Documentation
- AWS Network Firewall FAQs
- AWS Network Firewall
- Getting started with AWS Network Firewall
- Firewalls in AWS Network Firewall
- Firewall policies in AWS Network Firewall
- Rule groups in AWS Network Firewall
- Route table configurations for AWS Network Firewall
- AWS Network Firewall example architectures with routing
- AWS Command Line Interface (CLI) Documentation
- ec2
- ec2
- describe-vpcs
- network-firewall
- list-firewalls
- create-rule-group
- create-firewall-policy
- create-firewall
- AWS Blogs and Announcements
- Introducing the AWS Network Firewall - a new managed service to deploy network security across your Amazon VPCs with just a few clicks
- Deployment models for AWS Network Firewall
- Suricata Documentation
- Suricata