More Info:

Ensure deletion protection is enabled for network firewall rules

Risk Level

High

Address

Security

Compliance Standards

CBP,SEBI

Remediation

Using Console

To remediate the issue of Network Firewall Deletion Protection not being enabled for AWS EC2 using the AWS console, follow these step-by-step instructions:

  1. Login to AWS Console: Go to the AWS Management Console and login to your account.

  2. Navigate to EC2 Service: Click on the “Services” dropdown menu at the top left corner and select “EC2” under the Compute section.

  3. Select Security Groups: In the EC2 dashboard, click on the “Security Groups” option from the left-hand side menu.

  4. Select the Security Group: Identify the security group that you want to enable deletion protection for and click on it to select it.

  5. Enable Deletion Protection: In the security group details page, go to the “Actions” dropdown menu at the top and select “Edit inbound rules” or “Edit outbound rules” as per your requirement.

  6. Enable Deletion Protection: In the Edit rules page, scroll down to the bottom and locate the “Delete Protection” option. Check the box next to “Protect against accidental deletion” to enable deletion protection for the security group.

  7. Save Changes: After enabling deletion protection, click on the “Save rules” button to apply the changes.

By following these steps, you have successfully enabled deletion protection for the selected security group in AWS EC2 using the AWS console.

Using CLI

To remediate the misconfiguration of Network Firewall Deletion Protection not being enabled for AWS EC2 instances using AWS CLI, you can follow these steps:

  1. List all the security groups associated with your EC2 instances to identify the security group that needs to have deletion protection enabled:
aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId,GroupName]'
  1. Enable deletion protection for the identified security group using the following command. Replace <security-group-id> with the actual Security Group ID:
aws ec2 modify-security-group-rules --group-id <security-group-id> --no-delete-on-revoke
  1. Verify that deletion protection has been enabled for the security group by describing the security group attributes:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[*].{GroupName:GroupName,DeletionProtection:DeletionProtection}'

By following these steps, you can remediate the misconfiguration of Network Firewall Deletion Protection not being enabled for AWS EC2 instances using AWS CLI.

Using Python

To remediate the misconfiguration of Network Firewall Deletion Protection not being enabled for AWS EC2 instances using Python, you can use the Boto3 library, which is the AWS SDK for Python. Here are the step-by-step instructions to enable deletion protection for network firewalls associated with EC2 instances:

  1. Install Boto3 library: Ensure you have the Boto3 library installed. You can install it using pip:

    pip install boto3

  2. Write a Python script to enable deletion protection for network firewalls: Create a Python script (e.g., enable_firewall_deletion_protection.py) with the following code:

    import boto3

# Initialize the EC2 client
ec2_client = boto3.client('ec2')

# Get all the network interfaces associated with EC2 instances
response = ec2_client.describe_instances()
for reservation in response['Reservations']:
    for instance in reservation['Instances']:
        for interface in instance['NetworkInterfaces']:
            # Get the network interface ID
            network_interface_id = interface['NetworkInterfaceId']
            
            # Enable deletion protection for the network interface
            ec2_client.modify_network_interface_attribute(
                NetworkInterfaceId=network_interface_id,
                DeletionProtection={'Value': True}
            )
            print(f"Deletion protection enabled for network interface {network_interface_id}")

  3. Configure AWS credentials: Ensure that your AWS credentials are configured either through environment variables, AWS CLI configuration, or IAM roles.

  4. Run the Python script: Execute the Python script using the following command:

    python enable_firewall_deletion_protection.py

By following these steps, you can use Python and Boto3 to enable deletion protection for network firewalls associated with EC2 instances in AWS, thereby remediating the misconfiguration.