Control: Network Firewall firewalls should have subnet change protection enabled
Description
This control checks whether subnet change protection is enabled for an AWS Network Firewall firewall. The control fails if subnet change protection isn't enabled for the firewall.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.networkfirewall_firewall_subnet_change_protection_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.networkfirewall_firewall_subnet_change_protection_enabled --share
SQL
This control uses a named query:
select arn as resource, case when subnet_change_protection then 'ok' else 'alarm' end status, case when subnet_change_protection then title || ' subnet change protection enabled.' else title || ' subnet change protection disabled.' end reason , region, account_idfrom aws_networkfirewall_firewall;