For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-26o.md. A documentation index is available at /llms.txt.

Network Firewall stateless rule groups should not be empty

amazon-network-firewall

Description

This control verifies whether an AWS Network Firewall stateless rule group includes at least one rule.

A rule group contains rules that define how the firewall handles traffic within your VPC. While an empty stateless rule group in a firewall policy might seem like it would process traffic, it has no effect without any defined rules.

Remediation

For guidance on configuring firewall logging, refer to the Updating a stateful rule group section of the AWS Network Firewall Developer Guide.