v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 Network Firewall policies should have at least one rule group associated

Description

This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned.

A firewall policy defines how your firewall monitors and handles traffic in Amazon Virtual Private Cloud (Amazon VPC). Configuration of stateless and stateful rule groups helps to filter packets and traffic flows, and defines default traffic handling

Remediation

To update firewall policy and add a rule group through console:

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, under Network Firewall, choose Firewall policies.
  3. In the Firewall policies page, select the name of the firewall policy you want to update.
  4. In the firewall policy's page, you can change the rule groups.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_networkfirewall_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_networkfirewall_3 --share

SQL

This control uses a named query:

networkfirewall_firewall_policy_rule_group_not_empty

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = networkfirewall_3
plugin = aws
service = AWS/NetworkFirewall