Configuring resources for AWS Network Firewall - Firewall Automation for Network Traffic on AWS

Configuring resources for AWS Network Firewall

After deploying the solution, you can customize the resources for your network. This solution creates an AWS CodeCommit repository to store all the AWS Network Firewall configuration files. These files can be updated and new resources can be created in the respective folders. After the changes are committed and pushed to the AWS CodeCommit repository, this solution uses the configuration package to create or update AWS Network Firewall resources. The changes to the firewall, firewall policy, and rule groups can be reviewed after the AWS CodePipeline has finished running successfully. We recommend monitoring the pipeline status to confirm that the changes were deployed successfully. You can also review AWS CodeBuild stage logs in the AWS CodePipeline.

Note

All references to the FirewallPolicyArn and ResourceARN attributes should contain the reference path to the actual JSON files. These values are used by this solution to retrieve the configurations. Refer to the example configurations that are provided in the AWS CodeCommit repository.

An unique string is added to the AWS Network Firewall and firewall policy to allow you to deploy the solution more than once in a Region. The deployed resources have a unique name for each Region.

If there are existing resources in the AWS Network Firewall that have the same name as those being referenced in the solution, they will be updated with the configuration provided in the AWS CodeCommit repository. Before committing changes, we recommend reviewing the resource names for any resources previously created in the AWS Network Firewall console in the account and Region.

AWS CodeBuild validation stage

The solution creates two AWS CodeBuild stages. The first stage validates the configuration files (firewall, firewall policy, and rule group) and checks if the JSON format is valid. This solution uses these files to validate the AWS Network Firewall APIs to ensure that the attributes defined in the files have valid data. If any files have formatting issues or invalid data, the AWS CodeBuild stage will be in a Failed state and the deployment of the files to AWS Network Firewall will not continue. The AWS CodeBuild validation stage will provide error details for the files, similar to the ones in the following log example.

[TIMESTAMP] : "-----------INVALID FILES START-----------" [TIMESTAMP]: { “path”: “./firewallPolicies/firewall-policy-1.json”, “error”: “Unexpected key ‘key’ found in params.FirewallPolicy” } [TIMESTAMP]: "-----------INVALID FILES END-----------" [TIMESTAMP]: “Validation failed.” [TIMESTAMP]: “Error in firewall config validation” : “Validation failed.”

Once the solution is deployed, the AWS CodeCommit repository will have the following default directory structure.

  • Examples– This directory has example configuration files.

  • Firewalls– This directory contains the firewall configuration in JSON format. It includes the attributes as a document in the CreateFirewallAPI action.

Note

FirewallPolicyArn has a value which exactly matches the file path of the firewall policy file in the code commit repository.

As shown in the following example JSON file, this solution uses firewall-policy-1.json for the firewall policy in the ./firewallPolicies/firewall-policy-1.json commit repository path.

{ “FirewallName”: “Firewall-1”, “FirewallPolicyARN”: “./firewallPolicies/firewall-policy-1.json”, “Description”: “Network Firewall 1”. “DeleteProtection”: true, “SubnetChangeProtection”: true }
  • FirewallPolicies– This directory contains the firewall policy configuration in JSON format which will have attributes as documented in CreateFirewallPolicy, the attribute ResourceArn will have a value which exactly matches the file path of the rule group file in the code commit repository. Below is an example of the network firewall policy.

{ "FirewallPolicyName": "Firewall-Policy-1", "Description": "Firewall Policy 1", "FirewallPolicy": { "StatelessDefaultActions": [ “aws:drop” ], "StatelessRuleGroupReferences": [ { "Priority": 30, “ResourceArn”:“./ruleGroups/stateless-fwd-to-stateful.example.json” }, { "Priority": 20, “ResourceArn”:“./ruleGroups/stateless-pass-action.example.json” } ], "StatefulRuleGroupReferences":[ { “ResourceArn”:“./ruleGroups/stateful-domainblock.example.json” }, { “ResourceArn”:“./ruleGroups/suricata-rule-reference.json” } ] } }
Note

ResourceArn attribute in the Firewall policy file should have the file path to the rule group file in the AWS CodeCommit repository.

  • RuleGroup– This directory contains the rule groups configuration in JSON format which will have attributes as documented in CreateRuleGroup. The rule group can be defined by providing details in the RuleGroup attribute or the rules (Suricata flat format) attribute, as shown in the following stateful rule group file example.

{ "RuleGroupName": "StatefulRulesExample1", "RuleGroup": { "RulesSource": { "RulesSourceList": { "TargetTypes": ["HTTP_HOST"], "Targets": [ "test.example.com", "test2.example.com" ], "GeneratedRulesType": "DENYLIST" } } }, "Type": "STATEFUL", "Description": "Stateful Rule", "Capacity": 100 }

In this following example Suricata file, the rules attribute references the drop.rules file where the rules are defined. For more information, refer to the Drop.rules example file.

{ “RuleGroupName”: “suricata-drop-rules”, “Rules”: “./ruleGroups/drop.rules”, “Type”: “STATEFUL”. “Description”: “Suricata rule group”, “Type”: 100 }
Note

The drop.rules file must be added to the configuration package and only local path is allowed. Amazon S3 and HTTP links are not allowed.