Profile Applicability:

  • Level 1

Description:

AWS Network Firewall is a managed network security service that provides protection for your Amazon Virtual Private Cloud (VPC). Network Firewall Logging enables detailed logging of all traffic inspected by the firewall, helping monitor, audit, and troubleshoot network traffic. This SOP ensures that Network Firewall logging is enabled, which is essential for security monitoring, compliance, and auditing purposes.

Rationale:

  • Security Monitoring: Logging helps in monitoring network traffic and identifying potential threats or unusual activity that might require investigation.

  • Compliance: Many compliance frameworks, including PCI-DSS, SOC 2, and HIPAA, require logging for network security activities. Enabling logging for AWS Network Firewall helps meet these regulatory requirements.

  • Troubleshooting: Logs help in troubleshooting network issues, diagnosing traffic problems, and ensuring the firewall is working as expected.

  • Auditability: Logging provides a historical record of network activity, which can be reviewed for auditing purposes and is essential for forensic investigations.

Impact:

Pros:

  • Enhanced Security: Logs provide insight into the traffic being allowed or denied by the firewall, helping identify potential threats.

  • Compliance: Helps meet compliance requirements for logging and monitoring security events.

  • Audit and Troubleshooting: Logs offer the ability to track network activity, which is vital for troubleshooting and auditing.

Cons:

  • Cost: Enabling logging incurs additional costs based on the volume of logs generated and stored.

  • Storage Management: Logs need to be managed and stored securely to avoid data management issues and to ensure compliance with data retention policies

Default Value:

By default, AWS Network Firewall Logging is not enabled. You must explicitly configure and enable logging.

Pre-requisite:

  • AWS IAM Permissions:

    • network-firewall:DescribeLoggingConfiguration

    • network-firewall:CreateLoggingConfiguration

    • network-firewall:UpdateLoggingConfiguration

  • AWS CLI installed and configured.

  • Basic understanding of VPC, AWS Network Firewall, and logging services like CloudWatch.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Network Firewall under Services.

  3. In the Network Firewall Console, select Logging Configuration.

  4. Verify if logging is enabled for the Firewall Policy and Traffic Logs are being stored in CloudWatch Logs.

    • The Logging Configuration section should display the logging status as Enabled.

    • If logging is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To check if Network Firewall logging is enabled, run the following command:

    aws network-firewall describe-logging-configuration --firewall-arn <firewall-arn>

  2. Verify that the output includes the CloudWatch log group where logs are being sent and confirms that logging is enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Network Firewall.

  2. In the Network Firewall Console, select Logging Configuration.

  3. Choose Create Logging Configuration or Edit the existing configuration if logs are not already enabled.

  4. Under Log Destination, select CloudWatch Logs.

  5. Choose an existing Log Group or create a new one.

  6. Select the types of logs you want to capture (e.g., Traffic Logs, Alert Logs).

  7. Save the changes to enable logging for the firewall.

Using AWS CLI:

  1. To enable logging for AWS Network Firewall, run the following command:

    aws network-firewall create-logging-configuration \
  --firewall-arn <firewall-arn> \
  --log-destination <cloudwatch-log-group> \
  --log-format JSON \
  --log-type TRAFFIC

  1. To update an existing logging configuration, use the update-logging-configuration command:

    aws network-firewall update-logging-configuration \
  --firewall-arn <firewall-arn> \
  --log-destination <cloudwatch-log-group> \
  --log-format JSON \
  --log-type TRAFFIC

  1. To verify logging configuration, run:

    aws network-firewall describe-logging-configuration --firewall-arn <firewall-arn>

Backout Plan:

Using AWS Console:

  1. If enabling logging causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall, select the Firewall you want to modify, and go to the Logging section.

  3. Disable logging and save the changes.

  4. Verify that the firewall is no longer logging traffic.

Using AWS CLI:

  1. To disable logging for the Firewall, run:

    aws networkfirewall update-firewall --firewall-id <FIREWALL_ID> --no-log-destination

  2. Verify that logging has been disabled by describing the Firewall:

    aws networkfirewall describe-firewalls --firewall-id <FIREWALL_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.