Profile Applicability:

  • Level 1

Description:

Amazon VPC Network Firewalls are essential for protecting your network and controlling traffic between your instances and external networks. Enabling Deletion Protection for VPC Network Firewalls ensures that the firewall cannot be accidentally deleted. This feature prevents unintentional removal of security controls, which could lead to potential security vulnerabilities. This SOP ensures that Deletion Protection is enabled for all Amazon VPC Network Firewalls to safeguard them against accidental deletion.

Rationale:

  • Security: Enabling Deletion Protection ensures that critical security configurations (like network firewalls) cannot be removed unintentionally or maliciously, thus maintaining the security posture of the network.

  • Compliance: Certain compliance standards may require that firewalls and other security controls be protected from accidental deletion to ensure that data remains secure.

  • Protection Against Human Error: It is common for firewalls to be inadvertently deleted during infrastructure changes, leading to an increased attack surface. Deletion protection mitigates this risk.

Impact:

Pros:

  • Improved Security: Protects against accidental deletion of VPC Network Firewalls, ensuring that your security configurations remain intact.

  • Prevents Misconfiguration: Safeguards against potential errors during infrastructure updates or maintenance.

  • Compliance: Aligns with industry best practices and may help fulfill regulatory requirements related to infrastructure security.

Cons:

  • Increased Management Complexity: While deletion protection adds an extra layer of security, it may require additional steps to manage firewall resources when necessary (e.g., if intentional deletion is required).

  • Potential Delay in Deletion: If you need to delete the firewall, you must first disable deletion protection, adding an extra step to the process.

Default Value:

By default, Deletion Protection is not enabled for Amazon VPC Network Firewalls. It must be explicitly enabled during the creation or configuration of the firewall.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeNetworkInterfaces

    • ec2:DescribeSecurityGroups

    • ec2:DescribeVpcPeeringConnections

  • AWS CLI installed and configured.

  • Amazon VPC Network Firewalls are deployed in the AWS environment.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select Network Firewalls.

  4. Choose the firewall you want to check.

  5. Under the Firewall Details, verify if Deletion Protection is enabled.

    • If Deletion Protection is enabled, it will be listed as part of the firewall configuration.

    • If it is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To describe the VPC Network Firewall and check if Deletion Protection is enabled, run:

    aws ec2 describe-network-firewalls --query 'NetworkFirewalls[*].{FirewallName:Name,DeletionProtection:DeletionProtectionEnabled}'

  2. Review the output to confirm that the DeletionProtection field is set to true for the firewall.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to VPC.

  2. In the VPC Dashboard, go to Network Firewalls.

  3. Select the firewall you want to enable Deletion Protection for.

  4. In the Firewall details, click on Edit.

  5. Check the box to enable Deletion Protection.

  6. Save the changes to apply Deletion Protection to the firewall.

Using AWS CLI:

  1. To create a VPC Network Firewall with Deletion Protection enabled, use the following command:

    aws ec2 create-network-firewall \
  --firewall-name <firewall-name> \
  --vpc-id <vpc-id> \
  --subnet-id <subnet-id> \
  --deletion-protection-enabled true

  1. To enable Deletion Protection on an existing VPC Network Firewall, use:

    aws ec2 update-network-firewall \
  --firewall-id <firewall-id> \
  --deletion-protection-enabled true

  1. Verify that Deletion Protection is enabled by running:

    aws ec2 describe-network-firewalls --firewall-id <firewall-id> --query 'NetworkFirewalls[*].{FirewallName:Name,DeletionProtection:DeletionProtectionEnabled}'

Backout Plan:

Using AWS Console:

  1. If enabling Deletion Protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall, select the Firewall you wish to modify, and go to the Deletion Protection setting.

  3. Disable Deletion Protection if necessary and save the changes.

  4. Verify that the firewall is no longer protected from deletion.

Using AWS CLI:

  1. To disable Deletion Protection, run the following command:

    aws networkfirewall update-firewall --firewall-id <FIREWALL_ID> --no-deletion-protection

  2. Verify that Deletion Protection has been disabled:

    aws networkfirewall describe-firewalls --firewall-id <FIREWALL_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.