Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · NetworkFirewall

NetworkFirewall.2: Network Firewall logging should be enabled

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub NetworkFirewall.2 check?

NetworkFirewall.2 fails when a firewall has no logging enabled for any log type, or when the configured logging destination does not exist. Network Firewall can emit FLOW, ALERT, and TLS logs to S3, CloudWatch Logs, or Kinesis Data Firehose; the control wants at least one live pairing.

Why does NetworkFirewall.2 matter?

A firewall that inspects traffic but logs nothing is investigative blindness. When an incident touches the network — suspected exfiltration, lateral movement, a block-rule misfire — the first thing responders reach for is the firewall log, and with logging off that reach comes up empty. There is no record of which connections were dropped, which were allowed, or what matched an alert rule.

How do I fix NetworkFirewall.2?

  1. Configure a logging destination (S3 bucket, CloudWatch Logs group, or Firehose stream) and confirm it exists.
  2. Enable at least one log type — FLOW and ALERT cover the common cases; add TLS if you do TLS inspection.
  3. Grant Network Firewall permission to write to the destination, then verify logs are arriving.

Remediation script · bash

# Load balancer: enable access logs to a dedicated, log-delivery-permissioned bucket.
aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn "$LB_ARN" \
  --attributes \
      Key=access_logs.s3.enabled,Value=true \
      Key=access_logs.s3.bucket,Value=acme-elb-logs-eu-west-1 \
      Key=access_logs.s3.prefix,Value=prod-api

# WAF web ACL: attach logging (Firehose/log-group name must start with aws-waf-logs-),
# redact credentials, and keep only blocked requests to cap volume.
aws wafv2 put-logging-configuration --logging-configuration \
  ResourceArn="$WEBACL_ARN",LogDestinationConfigs="arn:aws:firehose:us-east-1:111122223333:deliverystream/aws-waf-logs-prod",RedactedFields=[{SingleHeader={Name=authorization}}]

# Network Firewall: enable ALERT logs to CloudWatch and FLOW logs to S3.
aws network-firewall update-logging-configuration --firewall-name prod-egress-fw \
  --logging-configuration 'LogDestinationConfigs=[{LogType=ALERT,LogDestinationType=CloudWatchLogs,LogDestination={logGroup=/netfw/prod-egress-fw/alert}}]'

# Route 53: log group MUST be in us-east-1, then attach the query logging config.
aws logs create-log-group --log-group-name /aws/route53/customer-portal --region us-east-1
aws route53 create-query-logging-config --hosted-zone-id Z0J1K4M2X8N9A1 \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/customer-portal

Full walkthrough (console steps, edge cases and verification) in the lesson Enable network and edge logging (LB, WAF, firewall, DNS).

Full lesson Enable network and edge logging (LB, WAF, firewall, DNS) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for NetworkFirewall controls ↗ Check your own account for NetworkFirewall.2 →
Part of the learning path See what's happening

More NetworkFirewall controls