VPC Without Network Firewall

  • Query id: 3e293410-d5b8-411f-85fd-7d26294f20c9
  • Query name: VPC Without Network Firewall
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

VPC should have a Network Firewall associated
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC11:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    SampleFirewall:
      Type: AWS::NetworkFirewall::Firewall
      Properties:
        FirewallName: SampleFirewallName
        FirewallPolicyArn: !Ref SampleFirewallPolicy
        VpcId: !Ref myVPC
        SubnetMappings:
          - SubnetId: !Ref SampleSubnet1
          - SubnetId: !Ref SampleSubnet2
        Description: Firewall description goes here
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SampleFirewall": {
      "Properties": {
        "Description": "Firewall description goes here",
        "FirewallName": "SampleFirewallName",
        "FirewallPolicyArn": "SampleFirewallPolicy",
        "SubnetMappings": [
          {
            "SubnetId": "SampleSubnet1"
          },
          {
            "SubnetId": "SampleSubnet2"
          }
        ],
        "VpcId": "myVPC"
      },
      "Type": "AWS::NetworkFirewall::Firewall"
    },
    "myVPC11": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": "false",
        "EnableDnsSupport": "false",
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC1:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    SampleFirewall:
      Type: AWS::NetworkFirewall::Firewall
      Properties:
        FirewallName: SampleFirewallName
        FirewallPolicyArn: !Ref SampleFirewallPolicy
        VpcId: !Ref myVPC1
        SubnetMappings:
          - SubnetId: !Ref SampleSubnet1
          - SubnetId: !Ref SampleSubnet2
        Description: Firewall description goes here
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SampleFirewall": {
      "Properties": {
        "Description": "Firewall description goes here",
        "FirewallName": "SampleFirewallName",
        "FirewallPolicyArn": "SampleFirewallPolicy",
        "SubnetMappings": [
          {
            "SubnetId": "SampleSubnet1"
          },
          {
            "SubnetId": "SampleSubnet2"
          }
        ],
        "VpcId": "myVPC1"
      },
      "Type": "AWS::NetworkFirewall::Firewall"
    },
    "myVPC1": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": "false",
        "EnableDnsSupport": "false",
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    }
  }
}