Network Firewall Policy Default Action Should Be Set For Full Packets

​

More Info:

This rule checks if an AWS Network Firewall policy is configured with a user-defined default stateless action for full packets. It ensures that the default stateless action for full packets matches the user-defined default stateless action. The rule is marked as non-compliant if the default stateless action for full packets does not match the user-defined default stateless action.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the network firewall policy default action for full packets in AWS EC2 using the AWS console, follow these steps:

1. Login to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.

2. Navigate to the VPC Dashboard: In the AWS Management Console, go to the VPC dashboard by selecting “Services” from the top menu and then clicking on “VPC” under the Networking & Content Delivery section.

3. Select the VPC: From the VPC dashboard, select the VPC where the EC2 instance with the misconfigured network firewall policy is located.

4. Navigate to the Network ACLs: In the VPC dashboard, click on “Network ACLs” in the left-hand menu to view the list of network access control lists associated with the selected VPC.

5. Identify the Network ACL: Identify the network ACL associated with the subnet where the misconfigured EC2 instance resides. Click on the relevant network ACL to view its details.

6. Edit the Network ACL: In the network ACL details page, identify the inbound and outbound rules that need to be modified to set the default action for full packets.

7. Update the Default Action: Locate the default action rule in the inbound and outbound rules sections of the network ACL. Edit the default action rule to allow full packets by specifying the appropriate protocol (e.g., TCP, UDP, ICMP) and port range.

8. Save the Changes: Once you have updated the default action rule to allow full packets, save the changes to apply the new configuration to the network ACL.

9. Verify the Configuration: Verify that the default action for full packets has been successfully set in the network ACL associated with the subnet where the EC2 instance is located.

By following these steps, you can remediate the network firewall policy default action for full packets in AWS EC2 using the AWS Management Console.

​

Using CLI

To remediate the misconfiguration of the network firewall policy default action in AWS EC2 using AWS CLI, follow these steps:

1. Identify the Security Group: First, identify the security group associated with the EC2 instance that needs to be remediated. You can do this by either checking the EC2 instance details in the AWS Management Console or by using the following AWS CLI command:

   aws ec2 describe-instances --instance-ids YOUR_INSTANCE_ID --query "Reservations[].Instances[].SecurityGroups[].GroupId" --output text
   

2. Update the Security Group: Once you have identified the security group, you can update the network firewall policy default action to “deny” for all inbound and outbound traffic using the following AWS CLI command:

   aws ec2 update-security-group-rule-descriptions-ingress --group-id YOUR_SECURITY_GROUP_ID --ip-permissions '[{"IpProtocol": "-1", "PrefixListIds": [], "IpRanges": [], "UserIdGroupPairs": [], "Ipv6Ranges": [], "FromPort": -1, "ToPort": -1, "Description": "Deny all inbound traffic"}]'
   

   aws ec2 update-security-group-rule-descriptions-egress --group-id YOUR_SECURITY_GROUP_ID --ip-permissions '[{"IpProtocol": "-1", "PrefixListIds": [], "IpRanges": [], "UserIdGroupPairs": [], "Ipv6Ranges": [], "FromPort": -1, "ToPort": -1, "Description": "Deny all outbound traffic"}]'
   

3. Verify the Changes: You can verify that the default action for full packets is now set to “deny” for both inbound and outbound traffic by checking the security group rules in the AWS Management Console or by using the following AWS CLI command:

   aws ec2 describe-security-groups --group-ids YOUR_SECURITY_GROUP_ID
   

By following these steps, you can remediate the misconfiguration of the network firewall policy default action in AWS EC2 using AWS CLI.

​

Using Python

To remediate the network firewall policy default action setting for AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to update the Network ACL associated with the VPC. Here are the step-by-step instructions to remediate this misconfiguration:

Step 1: Install Boto3 Ensure that you have Boto3 installed. You can install it using pip:

pip install boto3

Step 2: Write Python script Create a Python script with the following code to update the Network ACL default action for full packets:

import boto3

# Initialize the EC2 client
ec2_client = boto3.client('ec2')

# Specify the VPC ID
vpc_id = 'YOUR_VPC_ID'

# Specify the Network ACL ID
network_acl_id = 'YOUR_NETWORK_ACL_ID'

# Update the Network ACL entry to set the default action for full packets
response = ec2_client.create_network_acl_entry(
    CidrBlock='0.0.0.0/0',
    Egress=False,
    NetworkAclId=network_acl_id,
    Protocol='-1',
    RuleAction='allow',
    RuleNumber=100
)

print("Network ACL default action updated successfully.")

Replace YOUR_VPC_ID and YOUR_NETWORK_ACL_ID with the actual VPC ID and Network ACL ID where the misconfiguration exists.

Step 3: Run the Python script Save the Python script and run it using the Python interpreter. This script will update the Network ACL entry to set the default action for full packets.

python remediate_network_acl.py

After running this script, the default action for full packets in the Network ACL should be set, remediating the misconfiguration.