Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

This template creates an Amazon Network Firewall using a specified firewall policy and deploys it in a VPC with two subnets. The template also allows for adding a description and tags to the firewall.

This template creates an Amazon Firewall Policy with stateful and stateless rule groups. It allows you to specify the ARNs of the rule groups and set default actions for stateless traffic. The template also supports adding tags for easy management.

This template creates a logging configuration for a Network Firewall. It specifies that alert logs should be sent to an Amazon CloudWatch Logs log group and flow logs should be sent to an Amazon Kinesis Data Firehose delivery stream.

This template creates a logging configuration for a Network Firewall. It specifies that flow logs should be sent to an Amazon S3 bucket.

This template creates a stateful rule group for AWS Network Firewall. The rule group allows TCP traffic from a specific source IP range to a specific destination IP range on a specific port. It has a capacity of 100 and can be tagged with custom key-value pairs.

This template creates a stateless rule group for AWS Network Firewall. The rule group allows traffic from any source IP address to destinations in the 10.0.0.0/8 subnet on ports 15000-30000, using protocol 6 (TCP), and allows outbound traffic on port 443 (HTTPS).

A Config rule that checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.

A Config rule that checks if an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON_COMPLIANT if default stateless action for full packets does not match with user defined default stateless action.

A Config rule to check AWS Network Firewall policy is associated with stateful OR stateless rule groups. This rule is NON_COMPLIANT if no stateful or stateless rule groups are associated with the Network Firewall policy else COMPLIANT if any one of the rule group exists.

A Config rule that checks if a Stateless Network Firewall Rule Group contains rules. The rule is NON_COMPLIANT if there are no rules in a Stateless Network Firewall Rule Group.

Checks if AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.

Checks if AWS Network Firewall firewalls are deployed across multiple Availability Zones. The rule is NON_COMPLIANT if firewalls are deployed in only one Availability Zone or in fewer zones than the number listed in the optional parameter.