Git Product home page Git Product logo

terraform-aws-network-firewall-strict-rule-ordering-terraform's Introduction

AWS Network Firewall - Strict Rule Ordering (Logging Example) - Terraform Sample

This repository contains terraform code to deploy a single VPC with inspection using AWS Network Firewall. Stateful rule groups use Strict Rule Ordering, and the end goal of this example is to show how you can log both ALLOWED and DENIED traffic in the same destination directly from Network Firewall - CloudWatch logs is used in this example.

The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory. This file contains the variables that are used to configure environment.
  • Initialize Terraform using terraform init
  • Deploy the template using terraform apply

Note: The default number of Availability Zones to use is 1, although you can change this number in the input variables to a maximum number of 3. To follow best practices, each resource - EC2 instance, NAT Gateway, SSM endpoints, and Network Firewall endpoint - will be created in each Availability Zone. Keep this in mind to avoid extra costs unless you are happy to deploy more resources and accept additional costs.

Deployment

AWS Network Firewall

The AWS Network Firewall Policy is defined in the policy.tf file in the firewall directory. The firewall policy is configured to use Strict Rule Ordering with "Alert All" and "Drop All" as default actions. 3 rules groups are configured:

  • One stateless rule group denying any SSH or RDP communication.
  • Two stateful rule groups: one allowing ICMP communication, and another one allowing communication with the domains "example.com" and ".amazon.com".

All the pass actions are duplicated with alert ones first. That way the alert rule generates first the log (ALLOWED) and later the pass rule allows the communication. As per the default actions, other communication will be DENIED and logged in the same destination (ALERT flow log).

Logging Configuration

  • VPC Flow Logs are configured and sent to a CloudWatch Log group. Amazon S3 and Amazon Kinesis Firehose can also be used as a logging destination.
  • AWS Network firewall logs are also configured - both ALERT and FLOW - to respective AWS Cloudwatch Log Groups. Amazon S3 or Amazon Kinesis Firehose can also be used as a logging destination.

Target Architecture

Architecture diagram

References

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name Version
terraform >= 1.3.0
aws >= 4.28.0
awscc >= 0.30.0

Providers

Name Version
aws 4.36.1

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.anfwlogs_lg_alert resource
aws_cloudwatch_log_group.anfwlogs_lg_flow resource
aws_cloudwatch_log_group.flowlogs_lg resource
aws_default_security_group.default_sg resource
aws_eip.eip resource
aws_flow_log.vpc_flowlog resource
aws_iam_instance_profile.ec2_ssm_instance_profile resource
aws_iam_policy_attachment.ssm_iam_role_polcy_attachment resource
aws_iam_role.role_ec2_ssm resource
aws_iam_role.vpc_flowlogs_role resource
aws_iam_role_policy.vpc_flowlogs_role_policy resource
aws_instance.ec2_instance resource
aws_internet_gateway.igw resource
aws_kms_key.log_key resource
aws_nat_gateway.natgw resource
aws_networkfirewall_firewall.anfw resource
aws_networkfirewall_firewall_policy.anfw_policy resource
aws_networkfirewall_logging_configuration.anfw_logs resource
aws_networkfirewall_rule_group.allow_domains resource
aws_networkfirewall_rule_group.allow_icmp resource
aws_networkfirewall_rule_group.drop_remote resource
aws_route.igw_to_public_endpoints resource
aws_route.inspection_to_igw resource
aws_route.private_to_igw_natgw resource
aws_route.public_to_igw_endpoints resource
aws_route_table.vpc_endpoints_rt resource
aws_route_table.vpc_igw_rt resource
aws_route_table.vpc_inspection_rt resource
aws_route_table.vpc_private_rt resource
aws_route_table.vpc_public_rt resource
aws_route_table_association.vpc_endpoint_rt_assoc resource
aws_route_table_association.vpc_igw_rt_assoc resource
aws_route_table_association.vpc_inspection_rt_assoc resource
aws_route_table_association.vpc_private_rt_assoc resource
aws_route_table_association.vpc_public_rt_assoc resource
aws_security_group.security_groups resource
aws_subnet.vpc_endpoints_subnets resource
aws_subnet.vpc_inspection_subnets resource
aws_subnet.vpc_private_subnets resource
aws_subnet.vpc_public_subnets resource
aws_vpc.vpc resource
aws_vpc_endpoint.endpoint resource
aws_ami.amazon_linux data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy_document.policy_document data source
aws_iam_policy_document.policy_kms_logs_document data source
aws_iam_policy_document.policy_role_document data source
aws_iam_policy_document.policy_rolepolicy_document data source

Inputs

Name Description Type Default Required
aws_region AWS Region to create the environment. string "eu-west-1" no
cidr_block VPC's CIDR block. string "10.0.0.0/24" no
identifier Project Name, used as identifer when creating resources. string "anfw-strict-rule" no
instance_type Instance type of the instances created. string "t2.micro" no
number_azs Number of Availability Zones to create resources in the VPC. number 1 no
subnet_cidr_blocks Subnet CIDR blocks. map(list(string)) 
{
  "endpoints": [
    "10.0.0.144/28",
    "10.0.0.160/28",
    "10.0.0.176/28"
  ],
  "inspection": [
    "10.0.0.0/28",
    "10.0.0.16/28",
    "10.0.0.32/28"
  ],
  "private": [
    "10.0.0.96/28",
    "10.0.0.112/28",
    "10.0.0.128/28"
  ],
  "public": [
    "10.0.0.48/28",
    "10.0.0.64/28",
    "10.0.0.80/28"
  ]
}
 no
vpcflowlog_type The type of traffic to log in VPC Flow Logs. string "ALL" no

Outputs

Name Description
aws_network_firewall AWS Network Firewall ID.
subnets Subnet IDs (per type).
vpc_id VPC ID.

terraform-aws-network-firewall-strict-rule-ordering-terraform's People

Contributors

amazon-auto avatar pablo19sc avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.