For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-vpc-without-network-firewall.md. A documentation index is available at /llms.txt.

VPC without Network Firewall

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-vpc-without-network-firewall

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Networking and Firewall

Learn More

Description

VPCs should be associated with AWS Network Firewall to enable centralized traffic inspection and enforcement of network policies. This helps prevent lateral movement and detect or block malicious east–west and north–south traffic.

This rule checks CloudFormation for AWS::EC2::VPC resources that are not referenced by any AWS::NetworkFirewall::Firewall via the firewall’s Properties.VpcId. The VpcId property in AWS::NetworkFirewall::Firewall must reference the VPC (for example, using Ref to the VPC logical ID). VPC resources without an associated AWS::NetworkFirewall::Firewall will be flagged.

Secure configuration example (Network Firewall referencing the VPC):

MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16

MyNetworkFirewall:
  Type: AWS::NetworkFirewall::Firewall
  Properties:
    FirewallName: my-firewall
    VpcId:
      Ref: MyVPC
    SubnetMappings:
      - SubnetId: subnet-0123456789abcdef0
    FirewallPolicyArn: arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/example-policy

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC1:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    SampleFirewall:
      Type: AWS::NetworkFirewall::Firewall
      Properties:
        FirewallName: SampleFirewallName
        FirewallPolicyArn: !Ref SampleFirewallPolicy
        VpcId: !Ref myVPC1
        SubnetMappings:
          - SubnetId: !Ref SampleSubnet1
          - SubnetId: !Ref SampleSubnet2
        Description: Firewall description goes here

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SampleFirewall": {
      "Properties": {
        "Description": "Firewall description goes here",
        "FirewallName": "SampleFirewallName",
        "FirewallPolicyArn": "SampleFirewallPolicy",
        "SubnetMappings": [
          {
            "SubnetId": "SampleSubnet1"
          },
          {
            "SubnetId": "SampleSubnet2"
          }
        ],
        "VpcId": "myVPC1"
      },
      "Type": "AWS::NetworkFirewall::Firewall"
    },
    "myVPC1": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": "false",
        "EnableDnsSupport": "false",
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC11:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    SampleFirewall:
      Type: AWS::NetworkFirewall::Firewall
      Properties:
        FirewallName: SampleFirewallName
        FirewallPolicyArn: !Ref SampleFirewallPolicy
        VpcId: !Ref myVPC
        SubnetMappings:
          - SubnetId: !Ref SampleSubnet1
          - SubnetId: !Ref SampleSubnet2
        Description: Firewall description goes here

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SampleFirewall": {
      "Properties": {
        "Description": "Firewall description goes here",
        "FirewallName": "SampleFirewallName",
        "FirewallPolicyArn": "SampleFirewallPolicy",
        "SubnetMappings": [
          {
            "SubnetId": "SampleSubnet1"
          },
          {
            "SubnetId": "SampleSubnet2"
          }
        ],
        "VpcId": "myVPC"
      },
      "Type": "AWS::NetworkFirewall::Firewall"
    },
    "myVPC11": {
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": "false",
        "EnableDnsSupport": "false",
        "InstanceTenancy": "dedicated"
      },
      "Type": "AWS::EC2::VPC"
    }
  }
}