AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2025-11-19 · Documentation low

File: network-firewall/latest/developerguide/firewall-policy-creating.md

Summary

Added a new step (step 6) for enabling Active Threat Defense, which provides visibility into threat activity and allows blocking threats via rule groups. Updated subsequent step numbering accordingly.

Security assessment

The change introduces documentation for a security feature (Active Threat Defense) that enhances threat visibility and protection. However, there is no explicit mention of addressing a specific security vulnerability or incident, only the addition of a security capability.

Diff

diff --git a/network-firewall/latest/developerguide/firewall-policy-creating.md b/network-firewall/latest/developerguide/firewall-policy-creating.md
index ec1886788..c81345df1 100644
--- a//network-firewall/latest/developerguide/firewall-policy-creating.md
+++ b//network-firewall/latest/developerguide/firewall-policy-creating.md
@@ -27 +27,3 @@ You can't change the name after you create the firewall policy.
-  6. For **Stream exception policy** , choose how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. Choose from the following options:
+  6. **Enable Active Threat Defense - optional** gives you visibility into threat activity and indicator groups, types, and threat names you are protected against. You can add the appropriate Active Threat Defense rule groups to your firewall policy to block these threats. See the [AWS active threat defense for AWS Network Firewall](./aws-managed-rule-groups-atd.html) for more details.
+
+  7. For **Stream exception policy** , choose how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. Choose from the following options:
@@ -35 +37 @@ You can't change the name after you create the firewall policy.
-  7. Choose **Next** to go to the firewall policy's **Add rule groups** page.
+  8. Choose **Next** to go to the firewall policy's **Add rule groups** page.
@@ -37 +39 @@ You can't change the name after you create the firewall policy.
-  8. To choose the actions to take on packets that don't match any stateless rules, in the **Stateless default actions** section, first choose how to treat fragmented packets. You can choose **Use the same actions for all packets** or **Use different actions for full packets and fragmented packets**. You can then choose **Pass** , **Drop** , or **Forward to stateful rule groups** for all packets, or choose individually for full and fragmented packets. You also have the option to enable a custom action that lets you publish custom Amazon CloudWatch metrics to monitor the usage of stateless rules in your rule group. 
+  9. To choose the actions to take on packets that don't match any stateless rules, in the **Stateless default actions** section, first choose how to treat fragmented packets. You can choose **Use the same actions for all packets** or **Use different actions for full packets and fragmented packets**. You can then choose **Pass** , **Drop** , or **Forward to stateful rule groups** for all packets, or choose individually for full and fragmented packets. You also have the option to enable a custom action that lets you publish custom Amazon CloudWatch metrics to monitor the usage of stateless rules in your rule group. 
@@ -39 +41 @@ You can't change the name after you create the firewall policy.
-  9. To choose the way that your stateful rules are ordered for evaluation, and the actions to take on packets that don't match any stateful rules, in the **Stateful rule evaluation order and default action** section, first choose a rule evaluation order: 
+  10. To choose the way that your stateful rules are ordered for evaluation, and the actions to take on packets that don't match any stateful rules, in the **Stateful rule evaluation order and default action** section, first choose a rule evaluation order: 
@@ -47 +49 @@ For more information about stateful default actions for rule groups, see [Action
-  10. To add stateless rule groups, in the **Stateless rule groups** section, choose **Add rule groups** , then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 
+  11. To add stateless rule groups, in the **Stateless rule groups** section, choose **Add rule groups** , then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 
@@ -49 +51 @@ For more information about stateful default actions for rule groups, see [Action
-  11. If your firewall policy has multiple stateless rule groups, in the **Stateless rule group** section, update the processing order as needed. Network Firewall processes stateless rule groups by order of priority, starting from the lowest. To move a rule group in the list, select the check box next to its name and then move it up or down. For more information, see [How AWS Network Firewall filters network traffic](./firewall-policy-processing.html). 
+  12. If your firewall policy has multiple stateless rule groups, in the **Stateless rule group** section, update the processing order as needed. Network Firewall processes stateless rule groups by order of priority, starting from the lowest. To move a rule group in the list, select the check box next to its name and then move it up or down. For more information, see [How AWS Network Firewall filters network traffic](./firewall-policy-processing.html). 
@@ -51 +53 @@ For more information about stateful default actions for rule groups, see [Action
-  12. Choose the stateless default actions for the firewall policy to take if a full packet or UDP packet fragment doesn't match any of the stateless rule groups. Network Firewall silently drops packet fragments for other protocols. For information about the action options, see [Defining rule actions in AWS Network Firewall](./rule-action.html).
+  13. Choose the stateless default actions for the firewall policy to take if a full packet or UDP packet fragment doesn't match any of the stateless rule groups. Network Firewall silently drops packet fragments for other protocols. For information about the action options, see [Defining rule actions in AWS Network Firewall](./rule-action.html).
@@ -59 +61 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  13. To add stateful rule groups, in the **Stateful rule groups** section, choose **Add rule groups** , then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 
+  14. To add stateful rule groups, in the **Stateful rule groups** section, choose **Add rule groups** , then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 
@@ -61 +63 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  14. Choose **Next**.
+  15. Choose **Next**.
@@ -63 +65 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  15. On the **Configure advanced settings** page, optionally customize encryption and policy variables, and set the stream exception policy.
+  16. On the **Configure advanced settings** page, optionally customize encryption and policy variables, and set the stream exception policy.
@@ -65 +67 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  16. (Optional) Under **Customer managed key** , toggle the **Customize encryption settings** option to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see [Encryption at rest with AWS Key Management Service](./kms-encryption-at-rest.html).
+  17. (Optional) Under **Customer managed key** , toggle the **Customize encryption settings** option to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see [Encryption at rest with AWS Key Management Service](./kms-encryption-at-rest.html).
@@ -67 +69 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  17. (Optional) For **Policy variables** enter one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata `HOME_NET`. If your firewall is deployed using a centralized deployment model, you might want to override `HOME_NET` with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.
+  18. (Optional) For **Policy variables** enter one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata `HOME_NET`. If your firewall is deployed using a centralized deployment model, you might want to override `HOME_NET` with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.
@@ -69 +71 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  18. Choose **Next**.
+  19. Choose **Next**.
@@ -71 +73 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  19. (Optional) Under **Idle Timeouts** , toggle the **Customize TCP idle timeout settings** option. This lets you define the number of seconds a TCP connection can remain idle before Network Firewall drops the traffic. For information about the idle timeout setting, see [Firewall policy settings in AWS Network Firewall](./firewall-policy-settings.html). 
+  20. (Optional) Under **Idle Timeouts** , toggle the **Customize TCP idle timeout settings** option. This lets you define the number of seconds a TCP connection can remain idle before Network Firewall drops the traffic. For information about the idle timeout setting, see [Firewall policy settings in AWS Network Firewall](./firewall-policy-settings.html). 
@@ -73 +75 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  20. (Optional) On the **Add TLS inspection configuration** page, choose **Add TLS inspection configuration** to turn on decryption and re-encryption of incoming SSL/TLS traffic for the firewalls associated with this policy. You can't add or remove a TLS inspection configuration after firewall policy creation. For information about TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](./tls-inspection-configurations.html).
+  21. (Optional) On the **Add TLS inspection configuration** page, choose **Add TLS inspection configuration** to turn on decryption and re-encryption of incoming SSL/TLS traffic for the firewalls associated with this policy. You can't add or remove a TLS inspection configuration after firewall policy creation. For information about TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](./tls-inspection-configurations.html).
@@ -75 +77 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  21. Choose **Next**.
+  22. Choose **Next**.
@@ -77 +79 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  22. (Optional) On the **Add tags** page, enter a key and optional value for any tag that you want added to this firewall policy. Tags help you organize and manage your AWS resources. For more information about tagging your resources, see [Tagging AWS Network Firewall resources](./tagging.html). 
+  23. (Optional) On the **Add tags** page, enter a key and optional value for any tag that you want added to this firewall policy. Tags help you organize and manage your AWS resources. For more information about tagging your resources, see [Tagging AWS Network Firewall resources](./tagging.html). 
@@ -79 +81 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  23. Choose **Next**.
+  24. Choose **Next**.
@@ -81 +83 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  24. In the **Review and create** page, check over your firewall policy settings. If you want to change any section, choose **Edit** for the section. This returns you to the page in the firewall policy wizard. Make your changes, then choose **Next** on each page until you come back to the review and create page.
+  25. In the **Review and create** page, check over your firewall policy settings. If you want to change any section, choose **Edit** for the section. This returns you to the page in the firewall policy wizard. Make your changes, then choose **Next** on each page until you come back to the review and create page.
@@ -83 +85 @@ Network Firewall doesn't automatically forward packets to stateful rule groups.
-  25. Choose **Create firewall policy**. 
+  26. Choose **Create firewall policy**.