Network Firewall has deletion protection enabled
networkfirewall_deletion_protection
AWS Network Firewall firewalls have deletion protection enabled (DeleteProtection=true).
Risk
Without deletion protection, a firewall can be removed accidentally or by a compromised identity, letting traffic bypass inspection and logging.
This threatens confidentiality and integrity via unfiltered access, and harms availability through routing disruption and loss of perimeter controls.
prowler aws --checks networkfirewall_deletion_protection
Recommendation
Enable deletion protection on every firewall (DeleteProtection=true). Enforce least privilege to prevent delete actions, require change approval for firewall modifications, and implement guardrails with policy-as-code. Apply defense in depth so alternate controls contain traffic if a firewall is altered.
Remediation
aws network-firewall update-firewall-delete-protection --firewall-name <FIREWALL_NAME> --delete-protection
- Open the AWS console and go to VPC > Network Firewall > Firewalls
- Select the target firewall
- On Firewall details, choose Edit (or Change protections)
- Enable Deletion protection
- Save changes
Source Code
Resource Type
AwsNetworkFirewallFirewall