ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for networkfirewall service (#9382)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
This commit is contained in:
Rubén De la Torre Vico
2025-12-05 09:39:01 +01:00
committed by GitHub
parent 74d72dd56b
commit e9efb12aa8
8 changed files with 162 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
prowler/CHANGELOG.md
View File

@@ -15,6 +15,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
### Changed
- Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
- Update AWS GuardDuty service metadata to new format [(#9259)](https://github.com/prowler-cloud/prowler/pull/9259)
- Update AWS Network Firewall service metadata to new format [(#9382)](https://github.com/prowler-cloud/prowler/pull/9382)
- Update AWS MQ service metadata to new format [(#9267)](https://github.com/prowler-cloud/prowler/pull/9267)
- Update AWS Macie service metadata to new format [(#9265)](https://github.com/prowler-cloud/prowler/pull/9265)
- Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
@@ -98,6 +99,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
- Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
### Fixed
- Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)
- Depth Truncation and parsing error in PowerShell queries [(#9181)](https://github.com/prowler-cloud/prowler/pull/9181)

34
prowler/providers/aws/services/networkfirewall/networkfirewall_deletion_protection/networkfirewall_deletion_protection.metadata.json
View File

@@ -1,29 +1,37 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_deletion_protection",
"CheckTitle": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls.",
"CheckType": [],
"CheckTitle": "Network Firewall has deletion protection enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls in order to protect the firewalls from being accidentally deleted. By default, Deletion Protection is disabled for VPC network firewalls.",
"Risk": "Without a network firewall, it can be difficult to monitor and control traffic within the VPC. This can make it harder to detect and prevent attacks or unauthorized access to resources.",
"RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9",
"Description": "**AWS Network Firewall firewalls** have **deletion protection** enabled (`DeleteProtection=true`).",
"Risk": "Without deletion protection, a firewall can be removed accidentally or by a compromised identity, letting traffic bypass inspection and logging.\n\nThis threatens **confidentiality** and **integrity** via unfiltered access, and harms **availability** through routing disruption and loss of perimeter controls.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall update-firewall-delete-protection --region <value> --firewall-name <value> --delete-protection",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws network-firewall update-firewall-delete-protection --firewall-name <FIREWALL_NAME> --delete-protection",
"NativeIaC": "```yaml\n# CloudFormation: enable deletion protection on a Network Firewall\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::Firewall\n Properties:\n FirewallName: <example_resource_name> # Required: unique name for the firewall\n FirewallPolicyArn: <example_resource_id>\n VpcId: <example_resource_id>\n SubnetMappings:\n - SubnetId: <example_resource_id>\n DeleteProtection: true # Critical: enables deletion protection to pass the check\n```",
"Other": "1. Open the AWS console and go to VPC > Network Firewall > Firewalls\n2. Select the target firewall\n3. On Firewall details, choose Edit (or Change protections)\n4. Enable Deletion protection\n5. Save changes",
"Terraform": "```hcl\n# Terraform: enable deletion protection on a Network Firewall\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n firewall_policy_arn = \"<example_resource_id>\"\n vpc_id = \"<example_resource_id>\"\n\n subnet_mapping {\n subnet_id = \"<example_resource_id>\"\n }\n\n delete_protection = true # Critical: prevents deletion to pass the check\n}\n```"
},
"Recommendation": {
"Text": "Ensure that Deletion Protection safety feature is enabled for your Amazon VPC network firewalls.",
"Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9"
"Text": "Enable **deletion protection** on every firewall (`DeleteProtection=true`). Enforce **least privilege** to prevent delete actions, require **change approval** for firewall modifications, and implement guardrails with policy-as-code. Apply **defense in depth** so alternate controls contain traffic if a firewall is altered.",
"Url": "https://hub.prowler.com/check/networkfirewall_deletion_protection"
}
},
"Categories": [],
"Categories": [
"resilience"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.metadata.json
View File

@@ -1,29 +1,40 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_in_all_vpc",
"CheckTitle": "Ensure all VPCs have Network Firewall enabled",
"CheckType": [],
"CheckTitle": "VPC has Network Firewall enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsEc2Vpc",
"Description": "Ensure all VPCs have Network Firewall enabled",
"Risk": "Without a network firewall, it can be difficult to monitor and control traffic within the VPC. This can make it harder to detect and prevent attacks or unauthorized access to resources.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/setting-up.html",
"Description": "**VPCs** with an **AWS Network Firewall** associated to the same VPC to inspect and filter network traffic.\n\nIdentifies VPCs that do not have a Network Firewall resource linked to them.",
"Risk": "Without a **Network Firewall**, VPC traffic can bypass deep inspection and centralized policy enforcement, enabling **data exfiltration**, **command-and-control**, and **lateral movement**. Confidentiality is reduced by unmonitored flows; integrity and availability are threatened by malware and disruptive traffic.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/network-firewall-in-use.html",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/setting-up.html"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall create-firewall --firewall-name <value> --vpc-id <value>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/NetworkFirewall/network-firewall-in-use.html",
"Terraform": ""
"CLI": "aws network-firewall create-firewall --firewall-name <example_resource_name> --firewall-policy-arn <example_resource_id> --vpc-id <example_resource_id> --subnet-mappings \"SubnetId=<example_resource_id>\"",
"NativeIaC": "```yaml\n# CloudFormation: Create a Network Firewall in the VPC\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::Firewall\n Properties:\n FirewallName: <example_resource_name>\n FirewallPolicyArn: <example_resource_id> # Critical: required policy for the firewall\n VpcId: <example_resource_id> # Critical: associates the firewall to the target VPC (fixes the check)\n SubnetMappings: # Critical: creates firewall endpoints in the VPC\n - SubnetId: <example_resource_id>\n```",
"Other": "1. In the AWS Console, go to Network Firewall > Firewalls > Create firewall\n2. Enter a name and select the target VPC\n3. Select an existing Firewall policy (or create one when prompted)\n4. Add at least one subnet from the VPC under Subnet mappings\n5. Choose Create firewall\n6. Verify the firewall shows under the selected VPC",
"Terraform": "```hcl\n# Create a Network Firewall in the VPC\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n firewall_policy_arn = \"<example_resource_id>\" # Critical: required policy\n vpc_id = \"<example_resource_id>\" # Critical: associates firewall to the VPC (fixes the check)\n\n subnet_mapping { # Critical: creates firewall endpoint in the VPC\n subnet_id = \"<example_resource_id>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure all VPCs have Network Firewall enabled",
"Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html"
"Text": "Deploy **AWS Network Firewall** in each VPC or centralize inspection through a dedicated hub VPC.\n\nAdopt a `default-deny` posture with least-privilege rules, restrict egress to required destinations, segment workloads (**defense in depth**, **zero trust**), and enable logging to monitor and tune network policies.",
"Url": "https://hub.prowler.com/check/networkfirewall_in_all_vpc"
}
},
"Categories": [],
"Categories": [
"trust-boundaries",
"threat-detection"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/networkfirewall/networkfirewall_logging_enabled/networkfirewall_logging_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_logging_enabled",
"CheckTitle": "Ensure Network Firewall Logging is Enabled",
"CheckTitle": "Network Firewall has logging enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist.",
"Risk": "Failing to enable logging on an AWS Network Firewall can lead to a lack of visibility into network traffic, making it difficult to monitor and respond to security incidents effectively, which could jeopardize the security and integrity of your infrastructure.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html",
"Description": "**AWS Network Firewall** has stateful engine logging configured with at least one log type (`FLOW`, `ALERT`, or `TLS`) and an active log destination",
"Risk": "Absent Network Firewall logs reduce **visibility** and **forensics**. Malicious flows, C2 traffic, and data exfiltration can go **undetected**, impacting:\n- Confidentiality (leakage)\n- Integrity (unauthorized traffic allowed)\n- Availability (DDoS patterns unnoticed)",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-2"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall update-logging-configuration --firewall-arn <firewall-arn> --logging-configuration <configuration>",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-2",
"Terraform": ""
"CLI": "aws network-firewall update-logging-configuration --firewall-arn <FIREWALL_ARN> --logging-configuration 'LogDestinationConfigs=[{LogType=FLOW,LogDestinationType=CLOUDWATCH_LOGS,LogDestination={LogGroup=<LOG_GROUP_NAME>}}]'",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::LoggingConfiguration\n Properties:\n FirewallArn: <example_resource_id> # CRITICAL: Targets the firewall to enable logging\n LoggingConfiguration:\n LogDestinationConfigs:\n - LogType: FLOW # CRITICAL: Enables at least one log type\n LogDestinationType: CloudWatchLogs # CRITICAL: Selects a valid destination type\n LogDestination:\n logGroup: <example_log_group_name> # CRITICAL: Existing CloudWatch Logs group to receive logs\n```",
"Other": "1. Open the AWS console and go to VPC > Network Firewall > Firewalls\n2. Select your firewall and open the Firewall details tab\n3. In the Logging section, click Edit\n4. Enable at least one Log type (e.g., Flow)\n5. Choose Destination type: CloudWatch Logs and select an existing log group\n6. Click Save",
"Terraform": "```hcl\nresource \"aws_networkfirewall_logging_configuration\" \"<example_resource_name>\" {\n firewall_arn = \"<example_resource_id>\" # CRITICAL: Targets the firewall to enable logging\n\n logging_configuration {\n log_destination_config {\n log_type = \"FLOW\" # CRITICAL: Enables at least one log type\n log_destination_type = \"CloudWatchLogs\" # CRITICAL: Selects a valid destination type\n log_destination = {\n logGroup = \"<example_log_group_name>\" # CRITICAL: Existing CloudWatch Logs group to receive logs\n }\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable logging for your AWS Network Firewall by updating its logging configuration to ensure comprehensive tracking of network traffic and facilitate better incident response and auditing capabilities.",
"Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html"
"Text": "Enable comprehensive firewall logging and send `FLOW`, `ALERT`, and *when applicable* `TLS` events to a centralized, tamper-resistant destination. Apply **least privilege** to writers/readers, enforce **encryption** and **retention**, and integrate alerts with monitoring for **defense in depth**.",
"Url": "https://hub.prowler.com/check/networkfirewall_logging_enabled"
}
},
"Categories": [

36
prowler/providers/aws/services/networkfirewall/networkfirewall_multi_az/networkfirewall_multi_az.metadata.json
View File

@@ -1,32 +1,40 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_multi_az",
"CheckTitle": "Ensure all Network Firewall Firewalls are deployed across multiple AZ.",
"CheckTitle": "Network Firewall firewall is deployed across multiple Availability Zones",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
"Effects/Denial of Service"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "Ensure all Network Firewall Firewalls are deployed in at least 2 Availability Zones.",
"Risk": "Deploying a Network Firewall in a single Availability Zone increases the risk of service disruption if that AZ experiences an outage, potentially leaving your network vulnerable to attacks or downtime.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-two-zone-igw.html",
"Description": "**AWS Network Firewall firewalls** are assessed for **multi-AZ deployment**, expecting subnet mappings in more than one Availability Zone.\n\nA configuration with only one subnet mapping indicates a single-AZ firewall.",
"Risk": "Single-AZ firewalls are a single point of failure. An AZ outage can drop or blackhole traffic, degrading **availability**, or prompt route changes that bypass inspection, exposing **confidentiality** and **integrity** to unfiltered access, data exfiltration, and lateral movement.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/id_id/network-firewall/latest/developerguide/arch-two-zone-igw.html",
"https://aws.amazon.com/es/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-two-zone-igw.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-1"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall update-firewall-delete-protection --firewall-arn <your-firewall-arn> --firewall-name <your-firewall-name> --subnet-mappings SubnetId=<subnet-id-1>,SubnetId=<subnet-id-2>",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-1",
"Terraform": ""
"CLI": "aws network-firewall associate-subnets --firewall-arn <FIREWALL_ARN> --subnet-mappings SubnetId=<SUBNET_ID_IN_DIFFERENT_AZ>",
"NativeIaC": "```yaml\n# CloudFormation: Ensure the firewall spans multiple AZs by adding a second subnet mapping\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::Firewall\n Properties:\n FirewallName: <example_resource_name>\n FirewallPolicyArn: <example_firewall_policy_arn>\n VpcId: <example_vpc_id>\n SubnetMappings:\n - SubnetId: <subnet-id-1>\n - SubnetId: <subnet-id-2> # CRITICAL: second subnet in a different AZ to achieve multi-AZ\n```",
"Other": "1. Open the AWS Console and go to VPC > Network Firewall > Firewalls\n2. Select your firewall and open the Firewall details tab\n3. In Associated policy and VPC, click Edit\n4. Click Add new subnet, choose an additional Availability Zone and its subnet in the same VPC\n5. Ensure at least two AZs are selected, then click Save",
"Terraform": "```hcl\n# Terraform: Add a second subnet_mapping to deploy the firewall across multiple AZs\nresource \"aws_networkfirewall_firewall\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n firewall_policy_arn = \"<example_firewall_policy_arn>\"\n vpc_id = \"<example_vpc_id>\"\n\n subnet_mapping {\n subnet_id = \"<subnet-id-1>\"\n }\n\n subnet_mapping {\n subnet_id = \"<subnet-id-2>\" # CRITICAL: second subnet in a different AZ for multi-AZ\n }\n}\n```"
},
"Recommendation": {
"Text": "Deploy your AWS Network Firewall across multiple Availability Zones to enhance availability, ensure traffic load balancing, and minimize the impact of any AZ-specific failures.",
"Url": "https://aws.amazon.com/es/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/"
"Text": "Deploy firewalls across `>=2` AZs with a dedicated subnet in each used AZ. Maintain per-AZ, symmetric routing to the local endpoint to preserve stateful inspection. Apply **defense in depth** and automate drift controls and AZ failover tests to sustain resilience.",
"Url": "https://hub.prowler.com/check/networkfirewall_multi_az"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

40
prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_fragmented_packets/networkfirewall_policy_default_action_fragmented_packets.metadata.json
View File

@@ -1,31 +1,43 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_policy_default_action_fragmented_packets",
"CheckTitle": "Default action for fragmented packets is set to drop or forward.",
"CheckTitle": "Network Firewall policy drops or forwards fragmented packets by default",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
"TTPs/Defense Evasion"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "NetorwFirewall firewall policy default action for fragmented packets is set to drop or forward.",
"Risk": "If the default action for fragmented packets is set to 'Pass', unintended or potentially malicious traffic may bypass filtering, exposing the network to security threats.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
"Description": "**Network Firewall policies** are assessed for the `StatelessFragmentDefaultActions` setting to confirm **fragmented UDP packets** use `aws:drop` or `aws:forward_to_sfe`.",
"Risk": "Using `aws:pass` for **fragmented UDP** lets uninspected traffic traverse the firewall. Attackers can evade filters via fragmentation, enabling **data exfiltration** (confidentiality), payload smuggling and lateral movement (integrity), and fragment floods that strain services (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_FirewallPolicy.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-5",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
"https://docs.aws.amazon.com/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <your-firewall-policy-arn> --stateless-default-actions aws:drop",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-5",
"Terraform": ""
"CLI": "",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:drop\n StatelessFragmentDefaultActions:\n - aws:drop # Critical: ensures fragmented UDP packets are dropped by default to pass the check\n```",
"Other": "1. Open the Amazon VPC console and go to Network Firewall > Firewall policies\n2. Select the policy to edit and choose Edit\n3. Under Stateless default actions, find Fragmented packets\n4. Set the action to Drop (or Forward to stateful rule groups)\n5. Save changes",
"Terraform": "```hcl\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:drop\"]\n stateless_fragment_default_actions = [\"aws:drop\"] # Critical: drop fragmented UDP packets by default to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Update the firewall policy to ensure fragmented packets are either dropped or forwarded to stateful rule groups for additional filtering, reducing the risk of unwanted traffic entering the network.",
"Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html"
"Text": "Set `StatelessFragmentDefaultActions` to `aws:drop` or `aws:forward_to_sfe` so fragments are blocked or sent for **stateful inspection**. Apply **least privilege** on traffic flows, use **defense in depth** with rule groups, and monitor logs for anomalous fragmentation.",
"Url": "https://hub.prowler.com/check/networkfirewall_policy_default_action_fragmented_packets"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/networkfirewall/networkfirewall_policy_default_action_full_packets/networkfirewall_policy_default_action_full_packets.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_policy_default_action_full_packets",
"CheckTitle": "NetworkFirewall firewall policy default action for full packets is set to drop or forward.",
"CheckTitle": "Network Firewall firewall policy default stateless action for full packets is drop or forward",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall/firewall-name",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "Default stateless action for full packets must be set to drop or forward in AWS Network Firewall policy.",
"Risk": "If the default stateless action for full packets is set to 'Pass', unintended traffic may bypass network filtering, leading to potential security vulnerabilities by allowing unauthorized or harmful packets.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
"Description": "**AWS Network Firewall policies** define a **stateless default action** for full packets. This evaluates whether unmatched packets are handled by `aws:drop` or `aws:forward_to_sfe`, meaning they are either discarded or sent to the stateful engine rather than allowed to pass.",
"Risk": "Using `Pass` as the default allows unmatched full packets to bypass stateless filtering and stateful inspection, enabling reconnaissance, malware delivery, and covert data exfiltration. This undermines **confidentiality** and **integrity**, and can threaten **availability** through unfiltered attacks.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-4",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateless-default-actions.html",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html"
],
"Remediation": {
"Code": {
"CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <your-firewall-policy-arn> --stateless-default-actions aws:drop",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-4",
"Terraform": ""
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: set default stateless action for full packets to Drop\nResources:\n <example_resource_name>:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:drop # CRITICAL: full packets default to Drop (fixes the check)\n StatelessFragmentDefaultActions:\n - aws:drop # Required for a valid policy\n```",
"Other": "1. In the AWS console, open Amazon VPC\n2. Under Network Firewall, select Firewall policies\n3. Open the target firewall policy and choose Edit\n4. In Stateless default actions (full packets), select Drop (or Forward to stateful rule groups)\n5. Choose Save",
"Terraform": "```hcl\n# Terraform: set default stateless action for full packets to Drop\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:drop\"] # CRITICAL: full packets default to Drop (fixes the check)\n stateless_fragment_default_actions = [\"aws:drop\"] # Required for a valid policy\n }\n}\n```"
},
"Recommendation": {
"Text": "Modify the firewall policy to ensure that full packets are either dropped or forwarded to stateful rule groups for further inspection, mitigating the risk of unauthorized traffic entering the network.",
"Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html"
"Text": "Enforce a **deny-by-default** posture: set the stateless default for full packets to `aws:drop` or `aws:forward_to_sfe`. Use explicit allow rules, layer **stateful inspection**, and maintain logging and reviews to support **defense in depth** and **least privilege**.",
"Url": "https://hub.prowler.com/check/networkfirewall_policy_default_action_full_packets"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

39
prowler/providers/aws/services/networkfirewall/networkfirewall_policy_rule_group_associated/networkfirewall_policy_rule_group_associated.metadata.json
View File

@@ -1,31 +1,42 @@
{
"Provider": "aws",
"CheckID": "networkfirewall_policy_rule_group_associated",
"CheckTitle": "Ensure Network Firewall Policies Have at Least One Rule Group Associated",
"CheckTitle": "Network Firewall policy has at least one rule group associated",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
],
"ServiceName": "networkfirewall",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:network-firewall::account-id:firewall-policy/policy-name",
"Severity": "medium",
"ResourceType": "AwsNetworkFirewallFirewallPolicy",
"Description": "This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned.",
"Risk": "If a Network Firewall policy does not have at least one rule group associated, it may fail to properly filter and handle traffic, leaving the network vulnerable to unauthorized access and attacks.",
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups.html",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsNetworkFirewallFirewall",
"Description": "Network Firewall policies have one or more **stateful** or **stateless rule groups** associated to define packet inspection and handling.\n\nPolicies with no rule groups are identified.",
"Risk": "Without rule groups, traffic isn't meaningfully inspected, allowing unauthorized flows across VPC boundaries.\n\nImpacts:\n- Confidentiality: data exfiltration\n- Integrity: unauthorized changes via exposed services\n- Availability: C2, scanning, or DoS traffic passes; enables lateral movement",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups.html",
"https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-3",
"https://medium.com/slalom-blog/secure-internet-access-egress-filtering-with-aws-network-firewall-ddf52ae121f9",
"https://docs.aws.amazon.com/de_de/network-firewall/latest/developerguide/nwfw-using-managed-rule-groups-add-to-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-3",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: Attach at least one rule group to a Network Firewall policy\nResources:\n FirewallPolicy:\n Type: AWS::NetworkFirewall::FirewallPolicy\n Properties:\n FirewallPolicyName: <example_resource_name>\n FirewallPolicy:\n StatelessDefaultActions:\n - aws:forward_to_sfe\n StatelessFragmentDefaultActions:\n - aws:forward_to_sfe\n # Critical: Associate at least one rule group with the policy to pass the check\n StatefulRuleGroupReferences:\n - ResourceArn: <example_resource_arn> # Critical line: references an existing rule group ARN\n```",
"Other": "1. Open the AWS Console and go to VPC > Network Firewall > Firewall policies\n2. Select the target firewall policy\n3. In Stateful rule groups (or Stateless rule groups), choose Add rule groups (or Add managed stateful/stateless rule groups)\n4. Select at least one existing rule group and choose Add to policy\n5. Click Save",
"Terraform": "```hcl\n# Attach at least one rule group to a Network Firewall policy\nresource \"aws_networkfirewall_firewall_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n firewall_policy {\n stateless_default_actions = [\"aws:forward_to_sfe\"]\n stateless_fragment_default_actions = [\"aws:forward_to_sfe\"]\n\n # Critical: Associate at least one rule group with the policy to pass the check\n stateful_rule_group_reference {\n resource_arn = \"<example_resource_arn>\" # Critical line: references an existing rule group ARN\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Regularly review your Network Firewall policies to ensure they have the necessary rule groups associated. Create and manage rule groups as needed to maintain effective traffic filtering and security.",
"Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-updating.html"
"Text": "Associate appropriate **stateful** and **stateless rule groups** with every policy.\n- Enforce a **deny-by-default** posture (least privilege)\n- Use vetted managed rule groups as a baseline, then tailor to workloads\n- Review and test regularly; version rules, monitor logs, and require change control",
"Url": "https://hub.prowler.com/check/networkfirewall_policy_rule_group_associated"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""