# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # --- root/firewall_policy.tf --- # FIREWALL POLICIES # Production Traffic resource "aws_networkfirewall_firewall_policy" "anfw_policy_prod" { name = "firewall-policy-prod-${var.project_identifier}" firewall_policy { # Stateless configuration stateless_default_actions = ["aws:forward_to_sfe"] stateless_fragment_default_actions = ["aws:forward_to_sfe"] stateless_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.drop_remote.arn } # Stateful configuration stateful_engine_options { rule_order = "STRICT_ORDER" } stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"] stateful_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.allow_icmp.arn } stateful_rule_group_reference { priority = 20 resource_arn = aws_networkfirewall_rule_group.allow_domains.arn } } } # Non-Production Traffic resource "aws_networkfirewall_firewall_policy" "anfw_policy_non_prod" { name = "firewall-policy-non-prod-${var.project_identifier}" firewall_policy { # Stateless configuration stateless_default_actions = ["aws:forward_to_sfe"] stateless_fragment_default_actions = ["aws:forward_to_sfe"] stateless_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.drop_remote.arn } # Stateful configuration stateful_engine_options { rule_order = "STRICT_ORDER" } stateful_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.drop_domains.arn } } } # Traffic between segments resource "aws_networkfirewall_firewall_policy" "anfw_policy" { name = "firewall-policy-${var.project_identifier}" firewall_policy { # Stateless configuration stateless_default_actions = ["aws:forward_to_sfe"] stateless_fragment_default_actions = ["aws:forward_to_sfe"] stateless_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.drop_remote.arn } # Stateful configuration stateful_engine_options { rule_order = "STRICT_ORDER" } stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"] stateful_rule_group_reference { priority = 10 resource_arn = aws_networkfirewall_rule_group.allow_icmp.arn } } } # STATELESS RULE GROUP # Stateless Rule Group 1 - Dropping any SSH or RDP connection resource "aws_networkfirewall_rule_group" "drop_remote" { capacity = 2 name = "drop-remote-${var.project_identifier}" type = "STATELESS" rule_group { rules_source { stateless_rules_and_custom_actions { stateless_rule { priority = 1 rule_definition { actions = ["aws:drop"] match_attributes { protocols = [6] source { address_definition = "0.0.0.0/0" } source_port { from_port = 22 to_port = 22 } destination { address_definition = "0.0.0.0/0" } destination_port { from_port = 22 to_port = 22 } } } } stateless_rule { priority = 2 rule_definition { actions = ["aws:drop"] match_attributes { protocols = [27] source { address_definition = "0.0.0.0/0" } destination { address_definition = "0.0.0.0/0" } } } } } } } } # STATEFUL RULE GROUPS # Stateful Rule Group 1 - Allowing ICMP traffic resource "aws_networkfirewall_rule_group" "allow_icmp" { capacity = 100 name = "allow-icmp-${var.project_identifier}" type = "STATEFUL" rule_group { rules_source { rules_string = < any any (msg: "Allowing ICMP packets"; sid:2; rev:1;) EOF } stateful_rule_options { rule_order = "STRICT_ORDER" } } } # Stateful Rule Group 2 - Allowing access to .amazon.com (HTTPS) resource "aws_networkfirewall_rule_group" "allow_domains" { capacity = 100 name = "allow-domains-${var.project_identifier}" type = "STATEFUL" rule_group { rules_source { rules_string = < $EXTERNAL_NET 443 (msg:"Allowing TCP in port 443"; flow:not_established; sid:892123; rev:1;) pass tls any any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazon.com"; endswith; msg:"Allowing .amazon.com HTTPS requests"; sid:892125; rev:1;) EOF } stateful_rule_options { rule_order = "STRICT_ORDER" } } } # Stateful Rule Group 3 - Dening access to .google.com (HTTPS) resource "aws_networkfirewall_rule_group" "drop_domains" { capacity = 100 name = "drop-domains-${var.project_identifier}" type = "STATEFUL" rule_group { rules_source { rules_string = < $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".google.com"; endswith; msg:"Dropping .google.com HTTPS requests"; sid:892125; rev:1;) drop tcp any any <> $EXTERNAL_NET 443 (msg:"Allowing TCP in port 443"; flow:not_established; sid:892127; rev:1;) EOF } stateful_rule_options { rule_order = "STRICT_ORDER" } } } # Stateful Rule Group 4 - Dening ICMP packets within the AWS Network (10.0.0.0/8) resource "aws_networkfirewall_rule_group" "drop_icmp_local" { capacity = 100 name = "drop-icmp-local-${var.project_identifier}" type = "STATEFUL" rule_group { rules_source { rules_string = < 10.0.0.0/8 any (msg: "Dropping ICMP packets"; sid:2; rev:1;) pass icmp any any -> any any (msg: "Allowing ICMP packets"; sid:3; rev:1;) EOF } stateful_rule_options { rule_order = "STRICT_ORDER" } } }