turbot/aws_compliance
Loading controls...

Control: 5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets

Description

This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected.

A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic.

Remediation

To update firewall policy and update actions through console:

  1. Sign in to the AWS Management Console and open the Amazon VPC console.
  2. In the navigation pane, under Network Firewall, choose Firewall policies.
  3. Select the name of the firewall policy that you want to edit. This takes you to the firewall policy’s details page.
  4. In Stateless Default Actions, choose Edit. Then choose Drop or Forward to stateful rule groups as the Default actions for fragmented packets.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_networkfirewall_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_networkfirewall_5 --share

SQL

This control uses a named query:

networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets

Tags