More Info:

This rule checks if AWS Network Firewall firewalls are deployed across multiple Availability Zones. The rule is NON_COMPLIANT if firewalls are deployed in only one Availability Zone or in fewer zones than the number listed in the optional parameter.

Risk Level

Low

Address

Availability

Compliance Standards

HIPAA,NIST,HITRUST,AWSWAF,SOC2,NISTCSF,PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of network firewalls deployed across multiple availability zones for AWS EC2 instances, follow these steps using the AWS Management Console:
  1. Access the AWS Management Console: Go to the AWS Management Console (https://aws.amazon.com/console/).
  2. Navigate to the VPC Dashboard:
    • Click on “Services” in the top menu bar.
    • Under the “Networking & Content Delivery” section, click on “VPC” to open the VPC Dashboard.
  3. Select the VPC with Misconfigured Network Firewalls:
    • In the VPC Dashboard, locate and select the VPC that contains the misconfigured network firewalls across multiple availability zones.
  4. Review the Network ACLs:
    • In the left-hand menu, click on “Network ACLs” to view the network access control lists associated with the selected VPC.
    • Review the existing network ACLs to identify any misconfigurations related to allowing or blocking traffic across availability zones.
  5. Edit the Network ACL Rules:
    • Select the network ACL that needs to be modified to enforce network firewall rules within the same availability zone.
    • Click on the “Inbound Rules” and “Outbound Rules” tabs to edit the rules as needed.
  6. Modify the Network ACL Rules:
    • Update the network ACL rules to ensure that the desired traffic is allowed or blocked within the same availability zone.
    • You may need to add specific rules to allow or deny traffic based on your organization’s security requirements.
  7. Save the Changes:
    • After making the necessary modifications to the network ACL rules, click on the “Save” or “Apply” button to apply the changes.
  8. Verify the Configuration:
    • Test the network connectivity between EC2 instances within the same availability zone to confirm that the network firewall rules are correctly configured.
  9. Monitor and Maintain:
    • Regularly monitor the network ACLs and security groups associated with your VPC to ensure ongoing compliance with your organization’s security policies.
By following these steps and updating the network ACL rules to enforce network firewalls within the same availability zone, you can remediate the misconfiguration of network firewalls deployed across multiple availability zones for AWS EC2 instances.

To remediate the misconfiguration of network firewalls deployed across multiple availability zones in AWS EC2 using AWS CLI, follow these steps:
  1. Identify the security group(s) associated with the EC2 instances that are deployed across multiple availability zones.
  2. Determine the specific availability zones where the EC2 instances are located.
  3. Use the AWS CLI to create separate security groups for each availability zone where the EC2 instances are deployed. You can use the following command to create a new security group in a specific VPC and availability zone: 
aws ec2 create-security-group --group-name <new-security-group-name> --description "New security group for AZ <availability-zone>" --vpc-id <vpc-id> --region <region> --availability-zone <availability-zone>
  1. Update the security group rules for each new security group to allow the necessary inbound and outbound traffic for the EC2 instances in that specific availability zone. You can use the following commands to add rules to the security group:
aws ec2 authorize-security-group-ingress --group-id <new-security-group-id> --protocol <protocol> --port <port> --cidr <cidr-block>
aws ec2 authorize-security-group-egress --group-id <new-security-group-id> --protocol <protocol> --port <port> --cidr <cidr-block>
  1. Associate the new security groups with the EC2 instances in the corresponding availability zones. You can use the following command to modify the security group of an EC2 instance:
aws ec2 modify-instance-attribute --instance-id <instance-id> --groups <new-security-group-id>
  1. Verify that the new security groups are correctly applied to the EC2 instances in each availability zone by checking the instance details and security group associations.
By following these steps, you can remediate the misconfiguration of network firewalls deployed across multiple availability zones in AWS EC2 using the AWS CLI.
To remediate the misconfiguration of network firewalls deployed across multiple availability zones for AWS EC2 using Python, you can follow these steps:
  1. Identify the Security Group(s) associated with the EC2 instances that need to be restricted to specific availability zones.
  2. Use the AWS SDK for Python (Boto3) to update the inbound and outbound rules of the Security Group(s) to restrict traffic to/from specific availability zones.
  3. Install the Boto3 library if you haven’t already: 
pip install boto3
  1. Write a Python script to update the Security Group rules. Here’s an example script that restricts inbound and outbound traffic to/from a specific availability zone (e.g., us-west-1a):
import boto3

ec2 = boto3.client('ec2')

# Specify the Security Group ID that you want to update
security_group_id = 'YOUR_SECURITY_GROUP_ID'

# Specify the availability zone you want to allow traffic to/from
availability_zone = 'us-west-1a'

# Update inbound rules to allow traffic only from the specified availability zone
ec2.authorize_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': '-1',
            'UserIdGroupPairs': [],
            'IpRanges': [
                {
                    'CidrIp': f'{availability_zone}/32'
                },
            ],
            'Ipv6Ranges': []
        }
    ]
)

# Update outbound rules to allow traffic only to the specified availability zone
ec2.authorize_security_group_egress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': '-1',
            'UserIdGroupPairs': [],
            'IpRanges': [
                {
                    'CidrIp': f'{availability_zone}/32'
                },
            ],
            'Ipv6Ranges': []
        }
    ]
)

print('Security Group rules updated successfully.')
  1. Replace 'YOUR_SECURITY_GROUP_ID' with the actual Security Group ID that you want to update.
  2. Replace 'us-west-1a' with the desired availability zone.
  3. Run the Python script to update the Security Group rules as per the specified configuration.
By following these steps and running the Python script, you can remediate the misconfiguration of network firewalls deployed across multiple availability zones for AWS EC2.