NetworkFirewall.9: Firewalls should have deletion protection

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub NetworkFirewall.9 check?

NetworkFirewall.9 checks the DeleteProtection boolean on the AWS::NetworkFirewall::Firewall resource and fails when it is not enabled. With it on, the DeleteFirewall API is rejected while the flag is true.

Why does NetworkFirewall.9 matter?

Deleting a Network Firewall is irreversible and immediate — there is no soft-delete, no recycle bin, and no rollback of the routes pointing through it. A single CLI typo, a too-broad Terraform destroy, or a script run against the wrong account removes it in seconds. Until it is rebuilt, routes either black-hole the workload or, worse, fail open and send traffic past where inspection used to be — a window of uninspected egress is exactly how a routine mistake becomes an exfiltration incident.

How do I fix NetworkFirewall.9?

Set DeleteProtection to true on every production firewall.
Pair it with SubnetChangeProtection so the inspection boundary cannot be quietly re-pointed either.
Enforce the setting in your IaC so re-applies do not silently disable it.

Remediation script · bash

# Attach the AWS Managed Rules common baseline to an empty web ACL, in Count mode.
# update-web-acl REPLACES the entire Rules array, so supply the full desired set and the current LockToken.
aws wafv2 update-web-acl \
  --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 \
  --lock-token e4f5g6h7 --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=public-alb-waf \
  --rules '[{"Name":"AWS-CommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWS-CommonRuleSet"}}]'

# Associate a baseline web ACL with an unprotected API Gateway stage (the resource ARN is the stage, not the API).
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:111122223333:regional/webacl/prod-api-baseline/1a2b3c4d \
  --resource-arn arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4e5/stages/prod

# Protect a Network Firewall from accidental deletion.
aws network-firewall update-firewall-delete-protection \
  --firewall-name prod-egress-inspection --delete-protection

Full walkthrough (console steps, edge cases and verification) in the lesson Protect APIs and edge with WAF.

Full lesson Protect APIs and edge with WAF Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for NetworkFirewall controls ↗ Check your own account for NetworkFirewall.9 →

Part of the learning path Lock down access

NetworkFirewall.1 Firewalls should span multiple AZs
NetworkFirewall.2 Network Firewall logging should be enabled
NetworkFirewall.3 Policies should have >= 1 rule group
NetworkFirewall.4 Default stateless action (full packets)
NetworkFirewall.5 Default stateless action (fragmented)
NetworkFirewall.6 Stateless rule groups should not be empty
NetworkFirewall.10 Firewalls should have subnet change protection

NetworkFirewall.9: Firewalls should have deletion protection

What does AWS Security Hub NetworkFirewall.9 check?

Why does NetworkFirewall.9 matter?

How do I fix NetworkFirewall.9?

More NetworkFirewall controls