AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-04-23 · Documentation low

File: prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.md

Summary

Formatting and wording improvements: Updated AWS service name references, removed redundant 'Target technology stack' section, fixed code indentation, simplified tool descriptions, and updated CloudWatch console URL formatting.

Security assessment

Changes are primarily stylistic improvements and documentation cleanup. No security vulnerabilities or specific security features are being addressed or added. The modifications maintain existing security-related content about configuring CloudWatch alerts for Network Firewall but don't introduce new security considerations.

Diff

diff --git a/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.md b/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.md
index f51e1f5ca..3a739caed 100644
--- a//prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.md
+++ b//prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.md
@@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAddit
-The pattern helps you customize the Amazon CloudWatch alerts that are generated by Amazon Web Services (AWS) Network Firewall. You can use predefined rules or create custom rules that determine the message, metadata, and severity of the alerts. You can then act upon these alerts or automate responses by other Amazon services, such as Amazon EventBridge.
+The pattern helps you customize the Amazon CloudWatch alerts that are generated by AWS Network Firewall. You can use predefined rules or create custom rules that determine the message, metadata, and severity of the alerts. You can then act upon these alerts or automate responses by other Amazon services, such as Amazon EventBridge.
@@ -43,11 +42,0 @@ In this pattern, you generate Suricata-compatible firewall rules. [Suricata](htt
-**Target technology stack**
-
-  * Network Firewall
-
-  * Amazon CloudWatch Logs
-
-
-
-
-**Target architecture**
-
@@ -58 +47 @@ The architecture diagram shows the following workflow:
-  1. An EC2 instance in a private subnet makes a request by using either [curl](https://curl.se/) or [Wget](https://www.gnu.org/software/wget/).
+  1. An Amazon EC2 instance in a private subnet makes a request by using either [curl](https://curl.se/) or [Wget](https://www.gnu.org/software/wget/).
@@ -82 +71 @@ The architecture diagram shows the following workflow:
-**Other tools and services**
+**Other tools**
@@ -84 +73 @@ The architecture diagram shows the following workflow:
-  * [ curl](https://curl.se/) – curl is an open-source command line tool and library.
+  * [ curl](https://curl.se/) is an open-source command line tool and library.
@@ -86 +75 @@ The architecture diagram shows the following workflow:
-  * [Wget](https://www.gnu.org/software/wget/) – GNU Wget is a free command line tool.
+  * [GNU Wget](https://www.gnu.org/software/wget/) is a free command line tool.
@@ -109,3 +98,3 @@ Create the rule group.| In the AWS CLI, enter the following command. This create
-            --rule-group-name custom --type STATEFUL \
-            --capacity 10 --rules file://custom.rules \
-            --tags Key=environment,Value=development
+            --rule-group-name custom --type STATEFUL \
+            --capacity 10 --rules file://custom.rules \
+            --tags Key=environment,Value=development
@@ -117,15 +106,15 @@ The following is an example output. Make note of the `RuleGroupArn`, which you n
-        "UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
-        "RuleGroupResponse": {
-            "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
-            "RuleGroupName": "custom",
-            "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
-            "Type": "STATEFUL",
-            "Capacity": 10,
-            "RuleGroupStatus": "ACTIVE",
-            "Tags": [
-                {
-                    "Key": "environment",
-                    "Value": "development"
-                }
-            ]
-        }
+        "UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
+        "RuleGroupResponse": {
+            "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
+            "RuleGroupName": "custom",
+            "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
+            "Type": "STATEFUL",
+            "Capacity": 10,
+            "RuleGroupStatus": "ACTIVE",
+            "Tags": [
+                {
+                    "Key": "environment",
+                    "Value": "development"
+                }
+            ]
+        }
@@ -141,2 +130,2 @@ Get the ARN of the firewall policy.| In the AWS CLI, enter the following command
-        --firewall-name aws-network-firewall-anfw \
-        --query 'Firewall.FirewallPolicyArn'
+        --firewall-name aws-network-firewall-anfw \
+        --query 'Firewall.FirewallPolicyArn'
@@ -154,11 +143,11 @@ Update the firewall policy.| In a text editor, copy the paste the following code
-        "StatelessDefaultActions": [
-            "aws:forward_to_sfe"
-        ],
-        "StatelessFragmentDefaultActions": [
-            "aws:forward_to_sfe"
-        ],
-        "StatefulRuleGroupReferences": [
-            {
-                "ResourceArn": "<RuleGroupArn>"
-            }
-        ]
+        "StatelessDefaultActions": [
+            "aws:forward_to_sfe"
+        ],
+        "StatelessFragmentDefaultActions": [
+            "aws:forward_to_sfe"
+        ],
+        "StatefulRuleGroupReferences": [
+            {
+                "ResourceArn": "<RuleGroupArn>"
+            }
+        ]
@@ -171,7 +160,7 @@ Enter the following command in the AWS CLI. This command requires an [update tok
-                  --firewall-policy-name firewall-policy-anfw \
-                  --output text --query UpdateToken`)
-     
-     aws network-firewall update-firewall-policy \
-     --update-token $UPDATETOKEN \
-     --firewall-policy-name firewall-policy-anfw \
-     --firewall-policy file://firewall-policy-anfw.json
+                  --firewall-policy-name firewall-policy-anfw \
+                  --output text --query UpdateToken`)
+     
+     aws network-firewall update-firewall-policy \
+     --update-token $UPDATETOKEN \
+     --firewall-policy-name firewall-policy-anfw \
+     --firewall-policy file://firewall-policy-anfw.json
@@ -184,2 +173,2 @@ Confirm the policy updates.| (Optional) If you would like to confirm the rules w
-      --firewall-policy-name firewall-policy-anfw \
-      --query FirewallPolicy
+      --firewall-policy-name firewall-policy-anfw \
+      --query FirewallPolicy
@@ -191,11 +180,11 @@ The following is an example output.
-        "StatelessDefaultActions": [
-            "aws:forward_to_sfe"
-        ],
-        "StatelessFragmentDefaultActions": [
-            "aws:forward_to_sfe"
-        ],
-        "StatefulRuleGroupReferences": [
-            {
-                "ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
-            }
-        ]
+        "StatelessDefaultActions": [
+            "aws:forward_to_sfe"
+        ],
+        "StatelessFragmentDefaultActions": [
+            "aws:forward_to_sfe"
+        ],
+        "StatefulRuleGroupReferences": [
+            {
+                "ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
+            }
+        ]
@@ -221 +210 @@ Validate that the alerts are logged.|
-  1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/)
+  1. Open the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/).
@@ -268 +257 @@ Update the rule group.| In the AWS CLI, run the following commands. Use the ARN
-                    describe-rule-group \
+                    describe-rule-group \
@@ -273,2 +262,2 @@ Update the rule group.| In the AWS CLI, run the following commands. Use the ARN
-     ❯ aws network-firewall update-rule-group \
-      --rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
+     ❯ aws network-firewall update-rule-group \
+      --rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
@@ -282,15 +271,15 @@ The following is an example output.
-        "UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
-        "RuleGroupResponse": {
-            "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
-            "RuleGroupName": "custom",
-            "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
-            "Type": "STATEFUL",
-            "Capacity": 10,
-            "RuleGroupStatus": "ACTIVE",
-            "Tags": [
-                {
-                    "Key": "environment",
-                    "Value": "development"
-                }
-            ]
-        }
+        "UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
+        "RuleGroupResponse": {
+            "RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
+            "RuleGroupName": "custom",
+            "RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
+            "Type": "STATEFUL",
+            "Capacity": 10,
+            "RuleGroupStatus": "ACTIVE",
+            "Tags": [
+                {
+                    "Key": "environment",
+                    "Value": "development"
+                }
+            ]
+        }
@@ -314 +303 @@ Validate the alert changed.|
-  1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/)
+  1. Open the [CloudWatch console](https://console.aws.amazon.com/cloudwatch/).
@@ -366 +355 @@ The following is the classification configuration file from Suricata 5.0.2. Thes
-     
+     
@@ -380 +369 @@ The following is the classification configuration file from Suricata 5.0.2. Thes
-     
+     
@@ -403 +392 @@ The following is the classification configuration file from Suricata 5.0.2. Thes
-     
+