VPC has Network Firewall enabled
networkfirewall_in_all_vpc
VPCs with an AWS Network Firewall associated to the same VPC to inspect and filter network traffic.
Identifies VPCs that do not have a Network Firewall resource linked to them.
Risk
Without a Network Firewall, VPC traffic can bypass deep inspection and centralized policy enforcement, enabling data exfiltration, command-and-control, and lateral movement. Confidentiality is reduced by unmonitored flows; integrity and availability are threatened by malware and disruptive traffic.
prowler aws --checks networkfirewall_in_all_vpc
Recommendation
Deploy AWS Network Firewall in each VPC or centralize inspection through a dedicated hub VPC.
Adopt a default-deny posture with least-privilege rules, restrict egress to required destinations, segment workloads (defense in depth, zero trust), and enable logging to monitor and tune network policies.
Remediation
aws network-firewall create-firewall --firewall-name <example_resource_name> --firewall-policy-arn <example_resource_id> --vpc-id <example_resource_id> --subnet-mappings "SubnetId=<example_resource_id>"
- In the AWS Console, go to Network Firewall > Firewalls > Create firewall
- Enter a name and select the target VPC
- Select an existing Firewall policy (or create one when prompted)
- Add at least one subnet from the VPC under Subnet mappings
- Choose Create firewall
- Verify the firewall shows under the selected VPC
Source Code
Resource Type
AwsEc2Vpc
References