Control: 6 Stateless network firewall rule group should not be empty
Description
This control checks if a Stateless Network Firewall Rule Group contains rules. The rule will fail if there are no rules in a Stateless Network Firewall Rule Group.
A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic.
Remediation
To update rule group and add a rule through console:
- Sign in to the AWS Management Console and open the Amazon VPC console.
- In the navigation pane, under
Network Firewall, chooseNetwork Firewall rule groups. - In the
Network Firewall rule groupspage, choose the name of the firewall rule group that you want to edit. This takes you to the firewall rule groups details page. - For stateless rule groups, choose
Edit Rulesto add rules to the rule group.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_networkfirewall_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_networkfirewall_6 --shareSQL
This control uses a named query:
select arn as resource, case when type = 'STATEFUL' then 'skip' when jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 then 'ok' else 'alarm' end as status, case when type = 'STATEFUL' then title || ' is a stateful rule group.' else title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' end as reason , region, account_idfrom aws_networkfirewall_rule_group;