Profile Applicability

  • Level 1

Description:

AWS Network Firewall is a managed service that helps protect your Virtual Private Cloud (VPC) by monitoring and controlling incoming and outgoing network traffic. It is important to ensure that Network Firewall is enabled for all VPCs to prevent unauthorized access, filter malicious traffic, and enhance security at the network level. This SOP ensures that Network Firewall is configured and active across all your VPCs.

Rationale:

  • Security: Enabling Network Firewall for VPCs ensures that traffic to and from VPCs is inspected, helping to prevent unauthorized access and mitigate threats like Distributed Denial of Service (DDoS), malware, or other network-based attacks.

  • Compliance: Many compliance standards (e.g., SOC 2, PCI-DSS) require that VPCs be protected using network-level firewalls to maintain the integrity and confidentiality of data in the cloud.

  • Best Practices: Network segmentation with firewalls is a core best practice for securing cloud environments, and it helps meet security objectives such as ensuring only legitimate traffic flows into and out of VPCs.

Impact:

Pros:

  • Enhanced Security: Adds an additional layer of protection to control traffic based on predefined rules.

  • Traffic Inspection: Monitors and inspects network traffic, helping to identify malicious activity and mitigate risks.

  • Compliance: Meets regulatory requirements for protecting VPC resources with network-level firewalls.

Cons:

  • Performance: Network traffic inspection may introduce slight latency, depending on the configuration and amount of traffic.

  • Cost: Enabling AWS Network Firewall may incur additional charges depending on the amount of traffic processed and the firewall rule sets applied.

Default Value:

By default, AWS Network Firewall is not enabled for VPCs. It must be explicitly configured and associated with VPCs to begin inspecting traffic.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeVpcs

    • network-firewall:DescribeFirewall

    • network-firewall:CreateFirewall

    • network-firewall:AssociateFirewallPolicy

  • AWS CLI installed and configured.

  • VPCs are created and operational.

  • Firewall policies are defined and ready for association.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon VPC under Services.

  3. In the VPC Dashboard, select Firewalls under the Network Firewall section.

  4. Review the Firewall settings and ensure that there is an active Network Firewall associated with each VPC.

  5. If Network Firewall is not enabled for any VPC, follow the Implementation Steps to enable it.

Using AWS CLI:

  1. To list all VPCs, run:

    aws ec2 describe-vpcs --query 'Vpcs[*].VpcId'

  2. To check if Network Firewall is enabled for a VPC, run:

    aws network-firewall describe-firewall --firewall-id <firewall-id> --query 'Firewall.VpcId'

  3. Verify if the VPC is listed as part of an active Network Firewall configuration. If not, follow the steps in the Implementation Steps to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon VPC.

  2. In the VPC Dashboard, under Network Firewall, click on Create firewall.

  3. Choose the VPC that you want to associate with the Network Firewall.

  4. Configure the firewall policy for inspecting traffic.

  5. Click Create Firewall to enable it for your VPC.

  6. Once the firewall is created, associate it with your VPC.

  7. Ensure that the firewall rules are configured as per your organization’s security policy.

  8. Test the firewall configuration to ensure that it is properly inspecting network traffic.

Using AWS CLI:

  1. To create a Network Firewall and associate it with a VPC, run the following command:

    aws network-firewall create-firewall \
  --firewall-name <firewall-name> \
  --firewall-policy-arn <firewall-policy-arn> \
  --vpc-id <vpc-id> \
  --subnet-mappings SubnetId=<subnet-id1>,SubnetId=<subnet-id2>

  1. To check the status of the firewall:

    aws network-firewall describe-firewall --firewall-id <firewall-id>

  2. To associate a firewall policy:

    aws network-firewall associate-firewall-policy --firewall-id <firewall-id> --firewall-policy-arn <firewall-policy-arn>

  3. Verify the configuration by running:

    aws network-firewall describe-firewall --firewall-id <firewall-id>

Backout Plan:

Using AWS Console:

  1. If enabling Network Firewall causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall, select the firewall configuration associated with the VPC, and delete the firewall.

  3. Verify that the firewall is removed and that no firewall rules are in effect.

Using AWS CLI:

  1. To remove Network Firewall from the VPC, run:

    aws networkfirewall delete-firewall --firewall-id <FIREWALL_ID>

  2. Verify that the Network Firewall has been deleted and is no longer protecting the VPC:

    aws networkfirewall describe-firewalls --firewall-id <FIREWALL_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.