Network Firewall Policy Default Action Should Be Set For Full Packets
More Info:
This rule checks if an AWS Network Firewall policy is configured with a user-defined default stateless action for full packets. It ensures that the default stateless action for full packets matches the user-defined default stateless action. The rule is marked as non-compliant if the default stateless action for full packets does not match the user-defined default stateless action.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the network firewall policy default action for full packets in AWS EC2 using the AWS console, follow these steps:
- Login to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
- Navigate to the VPC Dashboard: In the AWS Management Console, go to the VPC dashboard by selecting “Services” from the top menu and then clicking on “VPC” under the Networking & Content Delivery section.
- Select the VPC: From the VPC dashboard, select the VPC where the EC2 instance with the misconfigured network firewall policy is located.
- Navigate to the Network ACLs: In the VPC dashboard, click on “Network ACLs” in the left-hand menu to view the list of network access control lists associated with the selected VPC.
- Identify the Network ACL: Identify the network ACL associated with the subnet where the misconfigured EC2 instance resides. Click on the relevant network ACL to view its details.
- Edit the Network ACL: In the network ACL details page, identify the inbound and outbound rules that need to be modified to set the default action for full packets.
- Update the Default Action: Locate the default action rule in the inbound and outbound rules sections of the network ACL. Edit the default action rule to allow full packets by specifying the appropriate protocol (e.g., TCP, UDP, ICMP) and port range.
- Save the Changes: Once you have updated the default action rule to allow full packets, save the changes to apply the new configuration to the network ACL.
- Verify the Configuration: Verify that the default action for full packets has been successfully set in the network ACL associated with the subnet where the EC2 instance is located.
Using CLI
Using CLI
To remediate the misconfiguration of the network firewall policy default action in AWS EC2 using AWS CLI, follow these steps:
-
Identify the Security Group: First, identify the security group associated with the EC2 instance that needs to be remediated. You can do this by either checking the EC2 instance details in the AWS Management Console or by using the following AWS CLI command:
-
Update the Security Group: Once you have identified the security group, you can update the network firewall policy default action to “deny” for all inbound and outbound traffic using the following AWS CLI command:
-
Verify the Changes: You can verify that the default action for full packets is now set to “deny” for both inbound and outbound traffic by checking the security group rules in the AWS Management Console or by using the following AWS CLI command:
Using Python
Using Python
To remediate the network firewall policy default action setting for AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to update the Network ACL associated with the VPC. Here are the step-by-step instructions to remediate this misconfiguration:Step 1: Install Boto3
Ensure that you have Boto3 installed. You can install it using pip:Step 2: Write Python script
Create a Python script with the following code to update the Network ACL default action for full packets:Replace After running this script, the default action for full packets in the Network ACL should be set, remediating the misconfiguration.
YOUR_VPC_ID and YOUR_NETWORK_ACL_ID with the actual VPC ID and Network ACL ID where the misconfiguration exists.Step 3: Run the Python script
Save the Python script and run it using the Python interpreter. This script will update the Network ACL entry to set the default action for full packets.