More Info:

This rule checks if an AWS Network Firewall policy is configured with a user-defined stateless default action for fragmented packets. It ensures that the stateless default action for fragmented packets matches the user-defined default action. The rule is marked as non-compliant if the stateless default action for fragmented packets does not match the user-defined default action.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the issue of the Network Firewall Policy Default Action not being set for fragmented packets in AWS EC2, you can follow these steps using the AWS Management Console:
  1. Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
  2. Navigate to the Amazon VPC Console: Click on the “Services” dropdown menu at the top of the page, select “VPC” under the Networking & Content Delivery section.
  3. Select the VPC: In the VPC dashboard, click on the VPC ID where your EC2 instance is located.
  4. Go to the Network ACLs: In the left-hand menu, click on “Network ACLs” to view the list of Network Access Control Lists associated with the selected VPC.
  5. Identify the Default Network ACL: Locate the default Network ACL associated with the VPC. The default Network ACL is named “default” and is automatically associated with all subnets in the VPC unless explicitly changed.
  6. Edit the Network ACL Rules:
    • Click on the default Network ACL ID to view its inbound and outbound rules.
    • Look for the rule that controls fragmented packets. By default, AWS allows fragmented packets.
    • If there is an explicit rule denying fragmented packets, edit the rule to allow them. If there is no specific rule, you may need to add a new rule to allow fragmented packets.
  7. Add or Edit Rule for Fragmented Packets:
    • Click on the “Edit” button to modify the inbound or outbound rules of the Network ACL.
    • Add a new entry or edit an existing rule to allow fragmented packets. Set the rule to allow fragmented packets by setting the rule number, type (inbound or outbound), protocol (e.g., all protocols or specific protocols that use fragmented packets), port range if applicable, source or destination IP range, and action to “Allow”.
  8. Save the Changes: After adding or editing the rule to allow fragmented packets, click on the “Save” button to apply the changes to the default Network ACL.
By following these steps and ensuring that the default Network ACL associated with your VPC allows fragmented packets, you can remediate the misconfiguration related to the Network Firewall Policy Default Action for fragmented packets in AWS EC2 using the AWS Management Console.

To remediate the issue of Network Firewall Policy Default Action not being set for fragmented packets in AWS EC2 using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to describe the current Network Firewall Policy for your VPC: 
aws ec2 describe-network-acls --filters "Name=vpc-id,Values=<your-vpc-id>"
Replace <your-vpc-id> with the ID of your VPC.
  1. Identify the Network ACL that needs to be updated based on the output of the previous command.
  2. Run the following command to update the Network ACL entry for fragmented packets: 
aws ec2 update-network-acl-entry --network-acl-id <your-network-acl-id> --egress --rule-number <rule-number> --protocol all --rule-action allow --cidr-block 0.0.0.0/0 --port-range From=0,To=65535 --fragment-acknowledgment-required --fragment-reorder --fragment-action drop
Replace <your-network-acl-id> with the ID of the Network ACL that needs to be updated, and <rule-number> with the appropriate rule number in the Network ACL.
  1. Verify that the update was successful by running the describe-network-acls command again.
By following these steps, you can remediate the misconfiguration of not setting the Network Firewall Policy Default Action for fragmented packets in AWS EC2 using AWS CLI.
To remediate the network firewall policy default action for fragmented packets in AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to update the Network ACL associated with the VPC. Here are the step-by-step instructions to remediate this misconfiguration:
  1. Install Boto3: If you haven’t already installed Boto3, you can install it using pip:
pip install boto3
  1. Use the following Python script to update the default action for fragmented packets in the Network ACL associated with your VPC:
import boto3

# Initialize the EC2 client
ec2_client = boto3.client('ec2')

# Specify the VPC ID where the Network ACL is associated
vpc_id = 'your_vpc_id'

# Specify the Network ACL ID that you want to update
network_acl_id = 'your_network_acl_id'

# Update the default action for fragmented packets in the Network ACL
response = ec2_client.update_network_acl_entry(
    CidrBlock='0.0.0.0/0',
    Egress=False,
    NetworkAclId=network_acl_id,
    PortRange={
        'From': 0,
        'To': 65535
    },
    Protocol='-1',
    RuleAction='allow',
    RuleNumber=100,
)

print('Default action for fragmented packets updated successfully.')
  1. Replace 'your_vpc_id' and 'your_network_acl_id' with your actual VPC ID and Network ACL ID.
  2. Run the Python script to update the default action for fragmented packets in the specified Network ACL.
After running the script, the default action for fragmented packets in the specified Network ACL will be set to ‘allow’. You can customize the script further based on your specific requirements and configurations.