Enable Deletion Protection for AWS Network Firewall
Overview
This check verifies that your AWS Network Firewall has deletion protection enabled. Deletion protection is a safety feature that prevents your firewall from being accidentally deleted, which could leave your VPC unprotected.
Risk
Without deletion protection, your network firewall can be removed accidentally or by compromised credentials. If deleted:
- Traffic goes unmonitored: Network traffic will no longer be inspected or logged
- Security rules are lost: Firewall policies and rules stop being enforced
- VPC becomes exposed: Resources in your VPC lose their perimeter protection
- Routing disruption: Traffic that was flowing through the firewall may be disrupted
Remediation Steps
Prerequisites
You need access to the AWS Console with permissions to modify Network Firewall settings, or AWS CLI configured with appropriate credentials.
Required IAM permissions
Your IAM user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-firewall:DescribeFirewall",
"network-firewall:UpdateFirewallDeleteProtection"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the VPC Console at https://console.aws.amazon.com/vpc/
- In the left navigation, scroll down to Network Firewall and select Firewalls
- Click on the name of the firewall you want to protect
- In the Firewall details section, click Edit
- Check the box for Delete protection
- Click Save
Your firewall is now protected from accidental deletion.
AWS CLI (optional)
Enable deletion protection for a specific firewall
aws network-firewall update-firewall-delete-protection \
--firewall-name <your-firewall-name> \
--delete-protection \
--region us-east-1
Replace <your-firewall-name> with your actual firewall name.
Using the firewall ARN instead of name
aws network-firewall update-firewall-delete-protection \
--firewall-arn arn:aws:network-firewall:us-east-1:123456789012:firewall/my-firewall \
--delete-protection \
--region us-east-1
List all firewalls to find your firewall name
aws network-firewall list-firewalls \
--region us-east-1
Check current deletion protection status
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'Firewall.DeleteProtection'
CloudFormation (optional)
When creating or updating a Network Firewall via CloudFormation, set DeleteProtection: true:
AWSTemplateFormatVersion: '2010-09-09'
Description: Network Firewall with Deletion Protection Enabled
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: The VPC ID where the firewall will be deployed
SubnetId:
Type: AWS::EC2::Subnet::Id
Description: The subnet ID for firewall endpoint
Resources:
FirewallPolicy:
Type: AWS::NetworkFirewall::FirewallPolicy
Properties:
FirewallPolicyName: example-firewall-policy
FirewallPolicy:
StatelessDefaultActions:
- aws:forward_to_sfe
StatelessFragmentDefaultActions:
- aws:forward_to_sfe
NetworkFirewall:
Type: AWS::NetworkFirewall::Firewall
Properties:
FirewallName: example-firewall
FirewallPolicyArn: !Ref FirewallPolicy
VpcId: !Ref VpcId
DeleteProtection: true
SubnetMappings:
- SubnetId: !Ref SubnetId
Tags:
- Key: Environment
Value: production
Outputs:
FirewallArn:
Description: The ARN of the Network Firewall
Value: !Ref NetworkFirewall
Terraform (optional)
When creating or updating a Network Firewall with Terraform, set delete_protection = true:
resource "aws_networkfirewall_firewall" "example" {
name = "example-firewall"
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
vpc_id = aws_vpc.example.id
delete_protection = true
subnet_mapping {
subnet_id = aws_subnet.example.id
}
tags = {
Environment = "production"
}
}
For existing firewalls, add the delete_protection = true attribute and run:
terraform plan
terraform apply
Verification
After enabling deletion protection, verify it is active:
In the AWS Console:
- Go to VPC Console > Network Firewall > Firewalls
- Click on your firewall
- In the Firewall details section, confirm Delete protection shows Enabled
CLI verification
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'Firewall.DeleteProtection'
This should return true.
Additional Resources
- AWS Network Firewall Documentation
- AWS Security Hub - Network Firewall Controls
- AWS Network Firewall CLI Reference
Notes
- Deletion protection only prevents deletion: It does not prevent modifications to firewall rules or policies. Consider using IAM policies to restrict who can modify firewall configurations.
- To delete a protected firewall: You must first disable deletion protection, then delete the firewall. This is intentional to prevent accidental deletions.
- Apply to all firewalls: For defense-in-depth, enable deletion protection on all production firewalls and consider using Service Control Policies (SCPs) to enforce this at the organization level.