Network firewalls do not have deletion protection enabled
Description
This policy is checking to ensure that Network firewalls have deletion protection enabled. It's crucial for maintaining the integrity and security of the system. If deletion protection is not enabled, there is potential risk that essential firewall settings could be accidentally or maliciously deleted leading to an increased vulnerability to attacks. Therefore, this policy helps to safeguard critical network configurations against unintentional deletions.
Code Example
hcl
resource "aws_networkfirewall_firewall" "example" {
name = "example"
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
vpc_id = aws_vpc.example.id
subnet_mapping {
subnet_id = aws_subnet.example.id
}
delete_protection = true
}Remediation
Terraform
- Resource: aws_networkfirewall_firewall
- Arguments: delete_protection
To fix this issue, you need to enable deletion protection on your network firewalls.
In AWS, you can achieve this by setting the `delete_protection` argument to `true` in the `aws_networkfirewall_firewall` resource block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0391 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_344 |