Profile Applicability

  • Level 1

Description:

AWS Network Firewall provides a managed firewall service that helps protect Amazon Virtual Private Cloud (VPC) by controlling traffic in and out of the VPC. A Firewall Policy in AWS Network Firewall is a set of rules that govern the traffic inspection. Each policy must have at least one Rule Group associated with it to function properly. This SOP ensures that every Network Firewall Policy has at least one Rule Group associated with it to enforce traffic inspection and filtering.

Rationale:

  • Security: A firewall policy without rule groups would be ineffective at filtering network traffic. Ensuring that each Network Firewall Policy has at least one Rule Group guarantees that traffic is inspected and that security measures are applied.

  • Compliance: Network security controls are often required by compliance standards (e.g., SOC 2, HIPAA) to ensure proper traffic filtering is in place within the network.

  • Best Practices: To ensure network security, Network Firewall Policies must be associated with Rule Groups, as these determine how traffic should be filtered or blocked.

Impact:

Pros:

  • Improved Security: Ensures that traffic is inspected and filtered according to predefined rules, enhancing network security.

  • Regulatory Compliance: Helps meet industry security and compliance standards requiring proper traffic control and filtering.

  • Prevention of Unauthorized Access: Reduces the risk of unauthorized or malicious traffic entering or exiting the VPC.

Cons:

  • Initial Setup Complexity: Configuring Rule Groups and associating them with policies can be complex during the initial setup.

  • Potential Misconfiguration: If rule groups are not configured correctly, they could either block legitimate traffic or fail to block malicious traffic.

Default Value:

By default, AWS Network Firewall Policies do not have any Rule Groups associated until explicitly configured. If no Rule Groups are associated, the firewall policy will not perform any traffic filtering.

Pre-requisite:

  • AWS IAM Permissions:

    • network-firewall:DescribeFirewallPolicy

    • network-firewall:PutFirewallPolicy

    • network-firewall:ListRuleGroups

    • network-firewall:AssociateFirewallPolicy

  • AWS CLI installed and configured.

  • Firewall Policy and Rule Groups should already be created in the AWS Network Firewall service.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Network Firewall under Services.

  3. In the Network Firewall Console, select Firewall Policies under the Network Firewall section.

  4. For each Firewall Policy, check the Rule Groups tab:

    • Ensure that at least one Rule Group is associated with the policy.

  5. If no Rule Groups are associated, follow the Implementation Steps below to associate a Rule Group with the Firewall Policy.

Using AWS CLI:

  1. To describe the Firewall Policy and check associated Rule Groups, run:

    aws network-firewall describe-firewall-policy --firewall-policy-id <firewall-policy-id> --query 'FirewallPolicy.RuleGroups'

  2. If the output shows no Rule Groups are associated, follow the steps in the Implementation Steps to associate a Rule Group.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Network Firewall.

  2. In the Network Firewall Console, select Firewall Policies.

  3. Choose the Firewall Policy that you want to modify.

  4. Under the Rule Groups tab, click Edit.

  5. Associate at least one Rule Group with the Firewall Policy:

    • Select an existing Rule Group from the list or create a new one.

  6. Save the changes to apply the Rule Group to the Firewall Policy.

Using AWS CLI:

  1. To associate a Rule Group with a Firewall Policy, run:

    aws network-firewall associate-firewall-policy --firewall-policy-id <firewall-policy-id> --firewall-rule-group-arn <rule-group-arn>

  2. Verify the changes by describing the Firewall Policy again:

    aws network-firewall describe-firewall-policy --firewall-policy-id <firewall-policy-id> --query 'FirewallPolicy.RuleGroups'

Backout Plan:

Using AWS Console:

  1. If associating the Rule Group causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall, select Firewall Policies, and open the Firewall Policy.

  3. Remove the associated Rule Group and save the changes.

  4. Verify that the Firewall Policy no longer has the Rule Group associated.

Using AWS CLI:

  1. To remove the associated Rule Group from a Firewall Policy, run:

    aws networkfirewall update-firewall-policy --firewall-policy-name <POLICY_NAME> --rule-group-refs []

  2. Verify that the Firewall Policy no longer has any Rule Groups associated:

    aws networkfirewall describe-firewall-policy --firewall-policy-name <POLICY_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.