AWS_NF_5

Ensure Network firewall have subnet change protection enabled

Description

The network firewall helps you protect your VPC. Set subnet change protection to protect against accidental modification of the subnet associations, which might expose a protected subnet.

Remediation

From Portal:
1. Sign in to the AWS console
2. In the console, select the specific region
3. Navigate to the ‘AWS Network Firewall’ service.
4. In the left pane under ‘Network Firewall’ click on Firewall.
5. Select desired firewall and click on ‘Firewall details’.
6. Go to ‘change protection’ and click on ‘Edit’.
7. Choose ‘enable’ for Subnet change protection option and click ‘save’.

From TF:
resource aws_networkfirewall_firewall” “example” {
– subnet_change_protection = false
+ subnet_change_protection = true
}

From Command Line:
In order to set Subnet change protection to TRUE use to following CLI command:
“`
aws network-firewall update-subnet-change-protection –firewall-arn FW_ARN –subnet-change-protection
“`
Note: The flag –subnet-change-protection will set the subnet change protection to TRUE.

References:
1. https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_UpdateSubnetChangeProtection.html
2. CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html

Service

AWS Network Firewall

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!