Control: 5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
Description
This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected.
A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic.
Remediation
To update firewall policy and update actions through console:
- Sign in to the AWS Management Console and open the Amazon VPC console.
- In the navigation pane, under Network Firewall, choose Firewall policies.
- Select the name of the firewall policy that you want to edit. This takes you to the firewall policy’s details page.
- In Stateless Default Actions, choose Edit. Then choose Drop or Forward to stateful rule groups as the Default actions for fragmented packets.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_networkfirewall_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_networkfirewall_5 --share
SQL
This control uses a named query:
networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets