AWS Network Firewall is not configured with logging configuration
Description
This policy detects if the logging configuration is not defined for AWS Network Firewall. Logging is essential for monitoring and troubleshooting. If logging is not enabled, troubleshooting and security investigations will be hindered.
Code Example
go
provider "aws" {
region = "us-east-1"
}
resource "aws_networkfirewall_firewall" "example_firewall" {
name = "example-firewall"
firewall_policy_arn = aws_networkfirewall_firewall_policy.example_policy.arn
vpc_id = "vpc-12345678"
subnet_mapping {
subnet_id = "subnet-12345678"
}
// Other necessary firewall configurations
}
resource "aws_networkfirewall_firewall_policy" "example_policy" {
// Define your firewall policy configuration
}
resource "aws_networkfirewall_logging_configuration" "example_logging" {
firewall_arn = aws_networkfirewall_firewall.example_firewall.arn
logging_configuration {
log_destination_config {
log_destination_type = "S3"
log_destination = {
bucketName = "your-logging-bucket"
}
log_type = "ALERT"
}
// You can define additional logging configuration if needed
}
}
# Make sure to define the S3 bucket and any necessary permissions as well.Remediation
Terraform
- Resource: aws_networkfirewall_firewall_policy, aws_networkfirewall_logging_configuration
- Arguments: firewall_policy_arn
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0497 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_63 |