AWS network-firewall documentation change
Summary
Added best practices section recommending default drop action with Geographic IP allow rules and guidance on verifying IP-to-country mappings using MaxMind database, plus workarounds for overriding specific IP addresses.
Security assessment
This change adds security best practices documentation for Geographic IP filtering, specifically addressing potential security gaps due to IP address reassignments and database inaccuracies. It recommends defensive configurations (default drop) and provides workarounds for misclassified IPs, but does not indicate a specific security vulnerability being fixed.
Diff
diff --git a/network-firewall/latest/developerguide/rule-groups-geo-ip-filtering.md b/network-firewall/latest/developerguide/rule-groups-geo-ip-filtering.md index 3ba85a4fb..92f3892e3 100644 --- a//network-firewall/latest/developerguide/rule-groups-geo-ip-filtering.md +++ b//network-firewall/latest/developerguide/rule-groups-geo-ip-filtering.md @@ -37,0 +38,16 @@ Network Firewall only allows you to save Geographic IP filter rules that have va +###### Best Practices: + +###### Use a default drop action with Geographic IP allow rules + +If you configure Geographic IP rules to allow or pass connections to IP addresses in specific countries, we recommend that you set the Default action on your firewall policy to one of our available Drop actions. Geographic IP country mappings are derived from the MaxMind database, and IP-to-country associations can change between database updates. By configuring a default drop action, you ensure that if an IP address is reassigned to a different country and no longer matches your allow rule or any other rules in your firewall policy, the firewall drops the connection. + +###### Verify IP-to-country mappings in the MaxMind database + +AWS Network Firewall uses the MaxMind GeoIP database to resolve IP addresses to their associated countries. While MaxMind provides industry-standard geolocation data, IP-to-country associations may be inaccurate or change over time due to IP address reassignments, database updates, or other factors. Before you create or troubleshoot Geographic IP rules, verify the country mapping of your target IP addresses by using the [MaxMind IP lookup tool](https://www.maxmind.com/en/geoip-demo). This helps you confirm that the IP addresses you expect to match a given country code are correctly classified in the database and can prevent unexpected rule behavior. However, the lookup tool reflects MaxMind's most current data - AWS Network Firewall's database is updated on a rolling basis, so there may be a brief window where mappings differ. If this is the case, refer to the Workarounds section below for options to override specific IPs. + +###### Workarounds: + +###### Override Geographic IP rules for specific IP addresses + +If you observe that an IP address is being incorrectly allowed by a Geographic IP rule due to a country mapping change or database inaccuracy, you can create an explicit deny or reject rule in your rule group that targets the specific IP address. You would need to place this rule with a higher priority than the original rule for it to take precedence. Please see [Managing Evaluation order for Suricata compatible rules in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html). +