compliance.tf
Compliance ControlsAWS Network Firewall

Network Firewall firewalls should have deletion protection enabled

A Network Firewall is often the only stateful inspection layer between your VPCs and the internet. Accidental or unauthorized deletion removes all traffic filtering instantly, exposing workloads to unrestricted inbound and outbound traffic. Recovery requires recreating the firewall, re-associating subnets, and restoring policy and rule group bindings, which can take significant time under pressure.

Deletion protection adds a deliberate friction point. An operator or automation pipeline must first disable the flag before the firewall can be destroyed. This gives change-management processes, CloudTrail alerts, and IAM policy conditions time to catch unintended actions.

Retrofit consideration

Enabling deletion protection on an existing firewall causes no downtime and requires a single API call or Terraform argument change, but verify that CI/CD teardown pipelines for non-production environments are updated to explicitly disable the flag before destroy.

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "network_firewall" {
  source  = "registry.compliance.tf/terraform-aws-modules/network-firewall/aws//modules/firewall"
  version = ">=1.0.0"

  firewall_policy_arn = "arn:aws:iam::123456789012:policy/example-policy"
  name                = "abc123"
  subnet_mapping = {
    subnet1 = {
      subnet_id = "subnet-12345678"
    }
  }
  vpc_id = "vpc-12345678"
}

This control is enforced automatically with Compliance.tf modules. Start free trial

If you use terraform-aws-modules/network-firewall/aws//modules/firewall, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "network_firewall" {
  source  = "terraform-aws-modules/network-firewall/aws//modules/firewall"
  version = ">=1.0.0"

  firewall_policy_arn = "arn:aws:iam::123456789012:policy/example-policy"
  name                = "abc123"
  subnet_mapping = {
    subnet1 = {
      subnet_id = "subnet-12345678"
    }
  }
  vpc_id = "vpc-12345678"

  delete_protection = true
}

Use AWS provider resources directly. See docs for the resources involved: aws_networkfirewall_firewall.

resource "aws_networkfirewall_firewall" "this" {
  firewall_policy_arn = "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/example"
  name                = "pofix-abc123"

  subnet_mapping {
    subnet_id = "subnet-12345678"
  }

  vpc_id = "vpc-12345678"

  delete_protection = true
}

What this control checks

In the aws_networkfirewall_firewall resource, delete_protection must be set to true. The argument defaults to false when omitted, which fails the control. Any firewall with delete_protection explicitly set to false or left unset is non-compliant. No other resources or policy attachments factor in; this is a single boolean check on the firewall resource.

Common pitfalls

Default value is false

The delete_protection argument on aws_networkfirewall_firewall defaults to false when omitted. Teams that rely on module defaults or copy-paste from AWS examples will fail this control unless they explicitly set delete_protection = true.

Terraform destroy blocked without lifecycle handling

With delete_protection = true, running terraform destroy fails with an API error because AWS rejects the DeleteFirewall call. For ephemeral environments, you need automation that first sets delete_protection = false via aws network-firewall update-firewall-delete-protection or a targeted apply before destroy.

Firewall and policy protections are separate concepts

Only the delete_protection flag on aws_networkfirewall_firewall is in scope here. Related resources like firewall policies have their own protection settings; passing this control says nothing about those.

Audit evidence

Config rule evaluation results showing each AWS::NetworkFirewall::Firewall resource as COMPLIANT are the primary artifact. Supplement with CLI output from aws network-firewall describe-firewall confirming DeleteProtection: true for every firewall in scope. CloudTrail events for UpdateFirewallDeleteProtection and DeleteFirewall show that protection changes are logged and no unauthorized deletions occurred during the audit period.

Related controls

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: networkfirewall_firewall_deletion_protection_enabled
  • AWS Config Managed Rule: NETFW_DELETION_PROTECTION_ENABLED
  • Checkov Check: CKV_AWS_344
  • Powerpipe Control: aws_compliance.control.networkfirewall_firewall_deletion_protection_enabled
  • Prowler Check: networkfirewall_deletion_protection
  • AWS Security Hub Control: NetworkFirewall.9

Last reviewed: 2026-03-09

Lambda functions tracing should be enabled

Previous Page

Network Firewall firewalls should have subnet change protection enabled

Next Page

On this page

ImplementationWhat this control checksCommon pitfallsAudit evidenceRelated controlsTool mappings

Ask AI about this

Help improve this page