Ensure Network firewall flow logging is enabled

Network firewall FLOW logs provide detailed information about network traffic that went through the stateful engine of your firewall. In order to investigate security incidents, you must enable flow logs of the network firewall.

Risk Level: Low
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.AWS.LOG.20
Category: Networking & Content Delivery

GSL LOGIC

NetworkFirewall should have loggingConfiguration.logDestinationConfigs contain [logType='FLOW']

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open the Amazon VPC console.
  2. In the navigation pane, under Network Firewall, choose Firewalls.
  3. In the Firewalls page, choose the name of the firewall that you want to edit.
  4. Choose the tab Firewall details, then in the Logging section, choose Edit.
  5. Adjust the Log type selections as needed. You can configure logging for alert and flow logs.
    Alert: Sends logs for traffic that matches any stateful rule whose action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.
    Flow: Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.
  6. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in Firewall logging destinations. In order to change the destination for an existing Log type, you must first turn off logging for the policy. Then, edit the policy and specify the new destination(s) for the Log type.
  7. Choose Save to save your changes and return to the firewall's detail page.

From TF

resource "aws_networkfirewall_logging_configuration" "example" {
	logging_configuration {
		log_destination_config {
			-        log_type = "ALERT"
			+        log_type = "FLOW"
		}
	}
}

From Command Line
In order to set Networks firewall flow logging, use to following CLI command:

aws network-firewall update-logging-configuration --firewall-arn FW_ARN --logging-configuration LogDestinationConfigs=[{LogType=FLOW,LogDestinationType=S3 or CloudWatchLogs or KinesisDataFirehose,LogDestination={key1=value1,key2=value2}}]

Example for sending logs to S3:

aws network-firewall update-logging-configuration --firewall-arn FW_ARN --logging-configuration LogDestinationConfigs=[{LogType=FLOW,LogDestinationType=S3,LogDestination={bucketName=Bucket name,prefix=Optional. prefix path in the bucket}}]

References

  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html
  2. https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-logging-configuration.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5