AWS network-firewall documentation change
Summary
Added REJECT and ALERT actions for domain list rules, with guidance on rule group combinations
Security assessment
Introduces new security-focused actions (REJECT sends TCP resets, ALERT logs traffic) and provides operational guidance to prevent misconfigurations. Enhances security controls but does not fix a specific disclosed vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.md b/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.md index 818b9c9a2..20499de6f 100644 --- a//network-firewall/latest/developerguide/stateful-rule-groups-domain-names.md +++ b//network-firewall/latest/developerguide/stateful-rule-groups-domain-names.md @@ -17 +17 @@ A domain list rule group has the following general settings. - * **Action** – Defines how Network Firewall handles traffic that matches the rule match settings. Valid values for domain rules are `Allow` and `Deny`: + * **Action** – Defines how Network Firewall handles traffic that matches the rule match settings. Valid values for domain rules are `Allow` `Deny`, `Reject`, and `Alert`: @@ -19 +19 @@ A domain list rule group has the following general settings. - * For `Allow`, traffic of the specified protocol type that doesn't match the domain specifications is denied. + * For `Allow`, traffic of the specified protocol type that does not match the domain specifications is denied. @@ -22,0 +23,8 @@ A domain list rule group has the following general settings. + * For `Reject`, traffic matching the domain specifications is blocked and a TCP reset packet is sent back to the source. This option is only available for TCP traffic. + + * For `Alert`, traffic matching the domain specifications generates an alert in the firewall's logs (when logging is enabled). Then, traffic either passes, is rejected, or drops based based on other rules in the firewall policy. + +###### For firewall policies that use default action ordering + +We recommend that you avoid combining `Reject` or `Alert` domain list rule groups with `Allow` domain list rule groups. When this combination of rule groups is defined in a firewall policy that uses default action ordering, the default drop rule added by the `Allow` rule group will take effect before the `Reject` and `Alert` rules. +