feat(networkfirewall): add new check networkfirewall_policy_rule_group_associated
#5225
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o PRWLR-4557-ensure-network-firewall-policies-have-at-least-one-rule-group-associated
github-actions
bot
added
the
provider/aws
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5225 +/- ##
==========================================
+ Coverage 89.09% 89.11% +0.01%
==========================================
Files 987 990 +3
Lines 30310 30435 +125
==========================================
+ Hits 27006 27121 +115
- Misses 3304 3314 +10 ☔ View full report in Codecov by Sentry. |
sergargar
reviewed
Sep 30, 2024
Comment on lines
18
to
19
| print(firewall.stateless_rule_groups) | ||
| print(firewall.stateful_rule_groups) |
There was a problem hiding this comment.
Suggested change
| print(firewall.stateless_rule_groups) | |
| print(firewall.stateful_rule_groups) |
sergargar
reviewed
Sep 30, 2024
Comment on lines
21
to
22
| firewall.stateful_rule_groups == [] | ||
| and firewall.stateless_rule_groups == [] |
There was a problem hiding this comment.
Suggested change
| firewall.stateful_rule_groups == [] | |
| and firewall.stateless_rule_groups == [] | |
| not firewall.stateful_rule_groups | |
| and not firewall.stateless_rule_groups |
sergargar
reviewed
Sep 30, 2024
| ) | ||
| ] | ||
| except Exception as error: | ||
| logger.error( |
There was a problem hiding this comment.
Use the logger pattern, please.
sergargar
reviewed
Sep 30, 2024
Comment on lines
14
to
15
| self._describe_firewall() | ||
| self._describe_firewall_policy() |
There was a problem hiding this comment.
Can you use threading call for both functions, please?
sergargar
reviewed
Sep 30, 2024
| "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53" | ||
| ], | ||
| "ServiceName": "Network Firewall", | ||
| "SubServiceName": "Firewall Policy", |
There was a problem hiding this comment.
Suggested change
| "SubServiceName": "Firewall Policy", | |
| "SubServiceName": "", |
sergargar
reviewed
Sep 30, 2024
| "CheckType": [ | ||
| "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53" | ||
| ], | ||
| "ServiceName": "Network Firewall", |
There was a problem hiding this comment.
Suggested change
| "ServiceName": "Network Firewall", | |
| "ServiceName": "network-firewall", |
sergargar
reviewed
Sep 30, 2024
| "RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups.html", | ||
| "Remediation": { | ||
| "Code": { | ||
| "CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <policy-arn> --rule-group-arn <rule-group-arn>", |
There was a problem hiding this comment.
Suggested change
| "CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <policy-arn> --rule-group-arn <rule-group-arn>", | |
| "CLI": "", |
Since this cannot be done with only one single command.
sergargar
approved these changes
Sep 30, 2024
sergargar
deleted the
PRWLR-4557-ensure-network-firewall-policies-have-at-least-one-rule-group-associated
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Amazon Network Firewall policies are integral to securing network configurations in AWS environments. A firewall policy specifies how traffic is monitored and managed, controlling how data packets flow into and out of Amazon Virtual Private Cloud (VPC). Without associated rule groups, the policy cannot filter traffic or handle threats effectively, which may leave the network open to unauthorized access or data breaches.
Description
This check ensures that each Network Firewall policy has at least one stateful or stateless rule group associated with it. Rule groups are essential components of the firewall policy, used to define packet filtering and traffic flow rules. If no rule groups are associated, the firewall cannot enforce any security protocols, rendering it ineffective. Having properly configured rule groups ensures that traffic is monitored, filtered, and handled according to security standards, safeguarding your VPC from unauthorized access or malicious activities.
Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.