Meaning of "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty"

The control "[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty" is designed to ensure that if you have stateless rule groups in your AWS Network Firewall, they contain at least one rule. This control is in place because an empty stateless rule group, when present in a firewall policy, might give the false impression that it's processing traffic when in reality it's not.

To directly answer your question: If you don't have any stateless rule groups at all, this control would not apply to your environment, and therefore it would not fail. The control only checks existing stateless rule groups to ensure they are not empty.

It's important to note that this control is checking for a specific configuration within your Network Firewall setup. The purpose is to prevent potential misunderstandings or oversights in your network security configuration. An empty rule group in a firewall policy could lead to assumptions about traffic processing that aren't actually occurring.

If you decide to create stateless rule groups in the future, remember that each group should contain at least one rule to comply with this control. This ensures that your Network Firewall is configured to actively process traffic as intended, contributing to the overall security of your AWS environment.

Keep in mind that while this specific control may not apply if you don't have stateless rule groups, it's just one part of a comprehensive security strategy. It's always a good practice to regularly review your security configurations and ensure they align with your security requirements and best practices.

Sources
netfw-stateless-rule-group-not-empty - AWS Config
Security Hub controls for Network Firewall - AWS Security Hub
AWS Network Firewall controls - AWS Control Tower