NetworkFirewall.6: Stateless rule groups should not be empty

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub NetworkFirewall.6 check?

NetworkFirewall.6 checks the AWS::NetworkFirewall::RuleGroup resource via the Config rule netfw-stateless-rule-group-not-empty and fails when a stateless rule group contains zero rules. It fires whether or not the empty group is currently attached to a policy.

Why does NetworkFirewall.6 matter?

The stateless engine is the first thing a packet hits, so an empty stateless rule group in a policy is a gap right at the front door — packets fall straight through to the default action without being matched. The deeper problem is false assurance: diagrams, runbooks, and audit evidence all show a named rule group that is in fact a no-op, which is more dangerous than an obviously missing control because nobody goes looking for it.

How do I fix NetworkFirewall.6?

Add the intended rules (e.g. drop known-bad CIDRs, block specific ports, fast-path trusted flows) to the stateless rule group.
Delete the rule group entirely if it is genuinely unused.
Confirm the policy that references it now matches traffic as intended.

Remediation script · bash

# Attach the AWS Managed Rules common baseline to an empty web ACL, in Count mode.
# update-web-acl REPLACES the entire Rules array, so supply the full desired set and the current LockToken.
aws wafv2 update-web-acl \
  --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 \
  --lock-token e4f5g6h7 --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=public-alb-waf \
  --rules '[{"Name":"AWS-CommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWS-CommonRuleSet"}}]'

# Associate a baseline web ACL with an unprotected API Gateway stage (the resource ARN is the stage, not the API).
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:111122223333:regional/webacl/prod-api-baseline/1a2b3c4d \
  --resource-arn arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4e5/stages/prod

# Protect a Network Firewall from accidental deletion.
aws network-firewall update-firewall-delete-protection \
  --firewall-name prod-egress-inspection --delete-protection

Full walkthrough (console steps, edge cases and verification) in the lesson Protect APIs and edge with WAF.

Full lesson Protect APIs and edge with WAF Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for NetworkFirewall controls ↗ Check your own account for NetworkFirewall.6 →

Part of the learning path Lock down access

NetworkFirewall.1 Firewalls should span multiple AZs
NetworkFirewall.2 Network Firewall logging should be enabled
NetworkFirewall.3 Policies should have >= 1 rule group
NetworkFirewall.4 Default stateless action (full packets)
NetworkFirewall.5 Default stateless action (fragmented)
NetworkFirewall.9 Firewalls should have deletion protection
NetworkFirewall.10 Firewalls should have subnet change protection

NetworkFirewall.6: Stateless rule groups should not be empty

What does AWS Security Hub NetworkFirewall.6 check?

Why does NetworkFirewall.6 matter?

How do I fix NetworkFirewall.6?

More NetworkFirewall controls