Network Firewall has logging enabled
networkfirewall_logging_enabled
AWS Network Firewall has stateful engine logging configured with at least one log type (FLOW, ALERT, or TLS) and an active log destination
Risk
Absent Network Firewall logs reduce visibility and forensics. Malicious flows, C2 traffic, and data exfiltration can go undetected, impacting:
- Confidentiality (leakage)
- Integrity (unauthorized traffic allowed)
- Availability (DDoS patterns unnoticed)
prowler aws --checks networkfirewall_logging_enabled
Recommendation
Enable comprehensive firewall logging and send FLOW, ALERT, and when applicable TLS events to a centralized, tamper-resistant destination. Apply least privilege to writers/readers, enforce encryption and retention, and integrate alerts with monitoring for defense in depth.
Remediation
aws network-firewall update-logging-configuration --firewall-arn <FIREWALL_ARN> --logging-configuration 'LogDestinationConfigs=[{LogType=FLOW,LogDestinationType=CLOUDWATCH_LOGS,LogDestination={LogGroup=<LOG_GROUP_NAME>}}]'
- Open the AWS console and go to VPC > Network Firewall > Firewalls
- Select your firewall and open the Firewall details tab
- In the Logging section, click Edit
- Enable at least one Log type (e.g., Flow)
- Choose Destination type: CloudWatch Logs and select an existing log group
- Click Save
Source Code
Resource Type
AwsNetworkFirewallFirewall
References
- https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html
- https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-2