By using AWS re:Post, you agree to the Terms of Use

AWS Well-Architected Framework

AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on six pillars — operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability — AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures, and implement designs that can scale over time.

Recent questions

see all
1/18

Network Firewall shows "aws:alert_strict action" when it set with Strict Order stateful engine option.

Hello, I'm using AWS Network Firewall. Firstly, I tried to use AWS Managed Rules and Allow Domain List custom rule with default action order. From my understanding, the default action order is Pass -> Drop -> Alert. Then, I tried to test download files from allowed domain list it always pass because the domain is allowed. The **ThreatSignaturesMalwareCoinmining** will not perform any actions. Am I correct? So, I'm trying to change from default action order to strict order. The default actions are drop:all and alert:all. I expected that the network firewall will process my rule groups by priority and rules in each rule group by order. I copied Suricata context from AWS Managed Rule and created new rule group as shown in pictures. ![Enter image description here](/media/postImages/original/IMT6cNSaDhTbGF4Ym0R7I1sQ) ![Enter image description here](/media/postImages/original/IMQKpehfhvQdCQLbXZVvTS4g) My example allowed domain are AWS domains. pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow HTTP traffic to .amazonaws.com"; flow:to_server, established; sid:1000101; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow TLS traffic to .amazonaws.com"; flow:to_server, established; sid:1000102; rev:1;) Then, I added these rules into my firewall policy and I found that it stills block the traffic to .amazonaws.com. ``` { "firewall_name": "inspector", "availability_zone": "ap-southeast-1a", "event_timestamp": "1663828976", "event": { "timestamp": "2022-09-22T06:42:56.727635+0000", "flow_id": 1066945104298575, "event_type": "alert", "src_ip": "10.x.x.x", "src_port": 23602, "dest_ip": "3.0.186.102", "dest_port": 443, "proto": "TCP", "alert": { "action": "blocked", "signature_id": 2, "rev": 0, "signature": "aws:alert_strict action", "category": "", "severity": 3 } } } ``` I checked 3.0.186.102 is own by AWS, ec2-xxx.amazonaws.com. Why the network firewall always block the requests to AWS domain?
4
answers
0
votes
43
views
asked 4 days ago

Popular users

see all
1/18