-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(networkfirewall): add new check networkfirewall_policy_rule_group_associated
#5225
feat(networkfirewall): add new check networkfirewall_policy_rule_group_associated
#5225
Conversation
…o PRWLR-4557-ensure-network-firewall-policies-have-at-least-one-rule-group-associated
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5225 +/- ##
==========================================
+ Coverage 89.09% 89.11% +0.01%
==========================================
Files 987 990 +3
Lines 30310 30435 +125
==========================================
+ Hits 27006 27121 +115
- Misses 3304 3314 +10 ☔ View full report in Codecov by Sentry. |
print(firewall.stateless_rule_groups) | ||
print(firewall.stateful_rule_groups) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
print(firewall.stateless_rule_groups) | |
print(firewall.stateful_rule_groups) |
firewall.stateful_rule_groups == [] | ||
and firewall.stateless_rule_groups == [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
firewall.stateful_rule_groups == [] | |
and firewall.stateless_rule_groups == [] | |
not firewall.stateful_rule_groups | |
and not firewall.stateless_rule_groups |
) | ||
] | ||
except Exception as error: | ||
logger.error( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the logger pattern, please.
self._describe_firewall() | ||
self._describe_firewall_policy() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use threading call for both functions, please?
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53" | ||
], | ||
"ServiceName": "Network Firewall", | ||
"SubServiceName": "Firewall Policy", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"SubServiceName": "Firewall Policy", | |
"SubServiceName": "", |
"CheckType": [ | ||
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53" | ||
], | ||
"ServiceName": "Network Firewall", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ServiceName": "Network Firewall", | |
"ServiceName": "network-firewall", |
"RelatedUrl": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <policy-arn> --rule-group-arn <rule-group-arn>", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"CLI": "aws network-firewall update-firewall-policy --firewall-policy-arn <policy-arn> --rule-group-arn <rule-group-arn>", | |
"CLI": "", |
Since this cannot be done with only one single command.
Context
Amazon Network Firewall policies are integral to securing network configurations in AWS environments. A firewall policy specifies how traffic is monitored and managed, controlling how data packets flow into and out of Amazon Virtual Private Cloud (VPC). Without associated rule groups, the policy cannot filter traffic or handle threats effectively, which may leave the network open to unauthorized access or data breaches.
Description
This check ensures that each Network Firewall policy has at least one stateful or stateless rule group associated with it. Rule groups are essential components of the firewall policy, used to define packet filtering and traffic flow rules. If no rule groups are associated, the firewall cannot enforce any security protocols, rendering it ineffective. Having properly configured rule groups ensures that traffic is monitored, filtered, and handled according to security standards, safeguarding your VPC from unauthorized access or malicious activities.
Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.