AWS Network Firewall Cheat Sheet

• AWS Network Firewall is a managed, stateful network firewall and intrusion detection and prevention service (IDS/IPS) for your Amazon Virtual Private Cloud (VPC). It enables you to implement fine-grained network protections that scale automatically with your traffic.

• Layer 3-7 Protection: Filters traffic at the network (IP/Port) and application (Domain/HTTP Host) layers.
• Managed Infrastructure: Automatically scales firewall capacity based on traffic load with 99.99% SLA.
• Suricata Engine: Uses the open-source Suricata engine, allowing you to import existing rulesets and community signatures.
• Central Management: Integrated with AWS Firewall Manager to enforce policies across multiple AWS accounts and VPCs in an Organization.

Features

Audit & Access Control

• Integrated with CloudTrail: Track who used which keys, on which resources, and when.
• KMS Key Permissions: Control access to data encryption keys used to encrypt and decrypt your data.
• Attribute-Based Access Control (ABAC): Fine-grained key access using tags and aliases.

• Grants & Grant Tokens: Temporary or conditional permissions for flexible access management.

Key Rotation & Management

• Automatic Key Rotation: Rotate KMS keys once per year without re-encrypting existing data.
• On-Demand Rotation: Supports symmetric-encryption, multi-region keys with imported key material (EXTERNAL origin).
• Custom Rotation Periods & History: Define rotation schedules and view previous key material.

Key Types & Cryptography

• Symmetric Keys: 256-bit AES encryption.
• Asymmetric Keys: Signing, verification, encryption, and decryption capabilities.
• ECC Keys: Includes ECC_NIST_EDWARDS25519 and KEY_AGREEMENT usage for ECC & SM2 keys (China Regions only) to derive shared secrets.
• HMAC Keys: Message authentication support.
• Post-Quantum Cryptography: Module-Lattice Digital Signature Algorithm (ML-DSA) and hybrid post-quantum key exchange for TLS.

External & Advanced Support

• Dual-Stack Endpoints: IPv4 and IPv6 support.
• External Key Store Integration: Manage cryptographic keys outside of AWS.
• Dry-Run API Parameter: Test permissions without performing actions.
• Nitro Enclaves API Support: Secure cryptographic operations in isolated environments.
• CloudTrail TLS Details: Includes keyExchange field for monitoring key exchanges.

Encryption & Data Handling

• Envelope Encryption: Encrypt data with a data key, then encrypt the data key under a KMS key.
• Encryption Context: Optional metadata to provide additional context for cryptographic operations.
• Import Key Material: Bring your own key material with optional expiration dates.

Management & Usability

• Aliases: Easier key management with multiple display names per KMS key.
• High Availability: Stores multiple encrypted copies for 99.999999999% durability.
• VPC Endpoint Support: Connect securely through private endpoints; all communication stays within AWS network.
• VPC Endpoint Policies: Fine-grained control over principals, API calls, and resources.

Logging & Monitoring

• Integration: Works with CloudWatch, CloudWatch Logs, AWS Config, and S3 for comprehensive logging and monitoring.

Concepts

• Firewall
  • A traffic filtering logic for VPC subnets.
  • The firewall configuration provides the parameters for the Availability Zones and subnets in which the firewall endpoints are located.
  • Changes to stateful rules are applied only to new traffic flows, while stateless rules are applied to all network packets.
  • You can create, update and delete a firewall as long as you have the required permissions.
  • Supports delete protection to prevent accidental deletion.
• Firewall policies
  • It defines the rules and other settings that will be used by a firewall to filter incoming and outgoing traffic in a VPC.
  • You can associate a firewall policy with one or more firewalls.
  • Supports one or more stateless and stateful rule groups.
  • Stateless default actions handle a packet or UDP packet fragment that doesn’t match any of the rules in the stateless rule groups
  • Stateful default actions handle a packet that doesn’t match any of the stateful rule groups’ rules.
  • Stateful engine options hold stateful rule order settings. The configuration of RuleOrder can only be done during the creation of the policy.
• Rule groups
  • A set of rules to match against VPC traffic and actions to do when a match is discovered.
  • You can create a custom rule group or use the one that is managed by AWS.
  • The categories of rule groups are stateless and stateful.

• A designated subnet for a firewall endpoint is called a firewall subnet.
• A stateless rule examines a single network traffic packet without taking into account the context of other packets.
• While the inspection of network traffic packets in the context of their traffic flow is referred to as stateful rules.
• The regional endpoint where you will make requests to reduce data latency in your applications:
  • https://network-firewall.<region>.amazonaws.com
• A firewall policy or rule group’s owner can share a resource with AWS Organizations:
  • AWS accounts within or outside of its organization
  • Organizational unit
  • Entire organization

AWS Network Firewall Monitoring

• You can use the following monitoring tools with Network Firewall:
  • Amazon CloudWatch
  • Amazon CloudWatch Logs
  • AWS CloudTrail
  • AWS Config
• Logging Logic (Critical Exam Topic):
  • Constraint: Firewall logging is only available for traffic that you route to the stateful rules engine.
    • Traffic handled solely by the stateless engine (e.g., dropped immediately) is NOT logged in Flow/Alert logs.
  • Log Types:
    • Flow Logs: Standard network traffic flow logs (5-tuple).
    • Alert Logs: Reports traffic that matches your stateful rules (e.g., “IPS Signature Match”).

  Destinations:

  • Amazon S3
  • CloudWatch Logs
  • Amazon Data Firehose
  • Security Note: If your log destination uses SSE-KMS, you must add a key policy to the KMS key to allow firewall logging to that destination.

Use Cases

• Egress Filtering: Preventing servers in private subnets from communicating with Command & Control (C2) botnets.
• Compliance: Meeting PCI-DSS requirements for intrusion detection (IPS) within the VPC.
• VPC-to-VPC Inspection: Placing a firewall in a “Transit VPC” to inspect traffic moving between different internal environments (e.g., Prod talking to Dev).

Limits & Constraints

• Throughput: Automatically scales up to 100 Gbps per Availability Zone.

• Encrypted Traffic: Without TLS Inspection configured, the firewall cannot see inside the payload of HTTPS packets (it can only see the SNI/Domain).

• Route Tables: You must manually manage route tables to force traffic to the firewall endpoint (it is not “inline” transparently like a Security Group).

AWS Network Firewall Pricing

• Hourly Fee: Charged per firewall endpoint per hour (approx $0.395/hr).
• Traffic Fee: Charged per GB of traffic processed (approx $0.065/GB).
• Network Firewall is expensive compared to Security Groups, so understanding the billing model is key.
• Pro Tip: The NAT Gateway Credit If you deploy a NAT Gateway and Network Firewall in the same Availability Zone, AWS waives the hourly charge for the NAT Gateway. You pay for the Network Firewall hourly + traffic, and the NAT Gateway becomes essentially “free” (hourly), paying only for its data processing.

AWS Network Firewall Cheat Sheet References:

https://aws.amazon.com/network-firewall/