Skip to content

Terraform AWS Network Firewall

AWS Network Firewall rule groups, firewall policies, firewalls, logging destinations, stateless and stateful inspection rules, and subnet placement for traffic filtering.

4 controls enforced3 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "network_firewall" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cis.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cisv600.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "nis2.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

module "network_firewall" {
  source  = "soc2.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "network_firewall" {
  source  = "terraform-aws-modules/network-firewall/aws"
  version = "1.0"
}

module "network_firewall" {
  source  = "soc2.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "network_firewall" {
  source  = "terraform-aws-modules/network-firewall/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

6 Security in network and information systems acquisition, development and maintenance

PR.IR-01

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network

1.4.3: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlNIS2 Directive (EU 2022/2555)NIST Cybersecurity Framework v2.0PCI DSS v4.0
Network Firewall firewalls should have deletion protection enabled
The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
The default stateless action for Network Firewall policies should be drop or forward for full packets
Network Firewall firewalls should have subnet change protection enabled

Showing top 3 frameworks by coverage. All framework endpoints →