Skip to main content

Ensure Network Firewall Policies Have at Least One Rule Group Associated

Overview

This check verifies that your AWS Network Firewall policies have at least one rule group (stateful or stateless) associated with them. A firewall policy without rule groups is essentially inactive and provides no real traffic filtering.

Risk

Without any rule groups attached, your Network Firewall policy cannot inspect or filter traffic. This means:

  • Traffic passes uninspected: All network traffic flows through without meaningful security checks
  • No protection against threats: Malicious traffic, data exfiltration attempts, and unauthorized access go undetected
  • Compliance gaps: Security frameworks require active traffic inspection at network boundaries

Remediation Steps

Prerequisites

You need permission to modify Network Firewall policies in your AWS account. You should also have at least one rule group ready to associate (either AWS managed or custom).

About rule group types

Stateless rule groups: Inspect each packet in isolation. Good for simple allow/deny rules based on IP, port, or protocol.

Stateful rule groups: Track connection state and can inspect traffic patterns over time. Required for deep packet inspection, domain filtering, and intrusion detection.

AWS managed rule groups: Pre-built rule sets maintained by AWS for common threat protection scenarios.

AWS Console Method

  1. Open the VPC Console at https://console.aws.amazon.com/vpc/
  2. In the left navigation, under Network Firewall, click Firewall policies
  3. Click on the policy that needs rule groups
  4. Scroll down to the Rule groups section
  5. To add a stateless rule group:
    • In the Stateless rule groups section, click Add rule groups
    • Select one or more rule groups from the list
    • Set the priority (lower numbers run first)
    • Click Add rule groups
  6. To add a stateful rule group:
    • In the Stateful rule groups section, click Add rule groups
    • Select one or more rule groups from the list
    • Click Add rule groups
  7. Review your changes and click Save
AWS CLI (optional)

Step 1: Get the current policy configuration

aws network-firewall describe-firewall-policy \
    --firewall-policy-name <your-policy-name> \
    --region us-east-1

Note the UpdateToken value from the response - you will need it for the update.

Step 2: List available rule groups

To see rule groups in your account:

aws network-firewall list-rule-groups \
    --scope ACCOUNT \
    --region us-east-1

To see AWS managed rule groups:

aws network-firewall list-rule-groups \
    --scope MANAGED \
    --region us-east-1

Step 3: Update the policy with rule groups

aws network-firewall update-firewall-policy \
    --firewall-policy-name <your-policy-name> \
    --update-token <update-token-from-step-1> \
    --firewall-policy '{
        "StatelessDefaultActions": ["aws:forward_to_sfe"],
        "StatelessFragmentDefaultActions": ["aws:forward_to_sfe"],
        "StatefulRuleGroupReferences": [
            {
                "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/my-rule-group"
            }
        ]
    }' \
    --region us-east-1

Replace <your-policy-name>, <update-token-from-step-1>, and the rule group ARN with your actual values.

Important: The --firewall-policy parameter replaces the entire policy configuration. Include all existing settings plus your new rule group references.

CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Network Firewall Policy with Rule Groups Associated

Parameters:
  PolicyName:
    Type: String
    Description: Name for the Network Firewall policy
    Default: my-firewall-policy

  StatefulRuleGroupArn:
    Type: String
    Description: ARN of the stateful rule group to associate

Resources:
  FirewallPolicy:
    Type: AWS::NetworkFirewall::FirewallPolicy
    Properties:
      FirewallPolicyName: !Ref PolicyName
      FirewallPolicy:
        StatelessDefaultActions:
          - aws:forward_to_sfe
        StatelessFragmentDefaultActions:
          - aws:forward_to_sfe
        StatefulRuleGroupReferences:
          - ResourceArn: !Ref StatefulRuleGroupArn

Outputs:
  FirewallPolicyArn:
    Description: ARN of the created firewall policy
    Value: !Ref FirewallPolicy

Key properties:

  • StatefulRuleGroupReferences: List of stateful rule group ARNs to associate
  • StatelessRuleGroupReferences: List of stateless rule group ARNs (include Priority for each)
  • StatelessDefaultActions: What to do with traffic that does not match stateless rules (aws:forward_to_sfe sends it to stateful inspection)
Terraform (optional)
variable "policy_name" {
  description = "Name for the Network Firewall policy"
  type        = string
  default     = "my-firewall-policy"
}

variable "stateful_rule_group_arn" {
  description = "ARN of the stateful rule group to associate"
  type        = string
}

resource "aws_networkfirewall_firewall_policy" "main" {
  name = var.policy_name

  firewall_policy {
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]

    stateful_rule_group_reference {
      resource_arn = var.stateful_rule_group_arn
    }
  }

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

output "firewall_policy_arn" {
  description = "ARN of the created firewall policy"
  value       = aws_networkfirewall_firewall_policy.main.arn
}

Adding multiple rule groups:

firewall_policy {
  # Stateless rule groups (require priority)
  stateless_rule_group_reference {
    resource_arn = aws_networkfirewall_rule_group.stateless_example.arn
    priority     = 1
  }

  # Stateful rule groups
  stateful_rule_group_reference {
    resource_arn = aws_networkfirewall_rule_group.stateful_example.arn
  }

  stateful_rule_group_reference {
    resource_arn = "arn:aws:network-firewall:us-east-1:aws-managed:stateful-rulegroup/ThreatSignaturesDoS"
  }

  stateless_default_actions          = ["aws:forward_to_sfe"]
  stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}

Verification

After making changes, confirm that your policy now has rule groups:

  1. In the VPC Console, navigate to Network Firewall > Firewall policies
  2. Click on your policy
  3. Verify that the Rule groups section shows at least one stateful or stateless rule group
CLI verification
aws network-firewall describe-firewall-policy \
    --firewall-policy-name <your-policy-name> \
    --region us-east-1 \
    --query 'FirewallPolicy.{Stateful:StatefulRuleGroupReferences,Stateless:StatelessRuleGroupReferences}'

The output should show at least one rule group reference.

Additional Resources

Notes

  • Start with managed rule groups: AWS provides pre-built rule groups for common threats (malware domains, known bad IPs). These are a good starting point.
  • Stateless rules run first: If you use both types, stateless rules evaluate first. Use aws:forward_to_sfe as a default action to pass traffic to stateful inspection.
  • Priority matters for stateless: When you have multiple stateless rule groups, they run in priority order (lowest number first).
  • Changes take effect immediately: Updates to firewall policies apply to active firewalls without restart, but may take a few minutes to propagate.
  • Test before production: Always test rule group changes in a non-production environment first to avoid blocking legitimate traffic.