Control: Stateless network firewall rule group should not be empty
Description
A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.networkfirewall_stateless_rule_group_not_emptySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.networkfirewall_stateless_rule_group_not_empty --shareSQL
This control uses a named query:
select arn as resource, case when type = 'STATEFUL' then 'skip' when jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 then 'ok' else 'alarm' end as status, case when type = 'STATEFUL' then title || ' is a stateful rule group.' else title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' end as reason , region, account_idfrom aws_networkfirewall_rule_group;