AWS re:Invent 2025 - Automating Suricata rules for AWS network firewall (DEV206)

Automating Suricata Rules for AWS Network Firewall

Overview

• The presentation discusses the speaker's experience in building an automated pipeline for developing and populating network firewall rules using AWS Network Firewall.
• The key focus is on addressing the challenges of manually managing Suricata rules, a powerful but complex rules engine behind the AWS Network Firewall.

Importance of Network Firewall

• The speaker's organization chose to use AWS Network Firewall to add firewalls to their AWS cloud environment, providing greater flexibility and control over egress connections.
• AWS Network Firewall offers several benefits:
  • Tight integration with other AWS services like CloudWatch and S3 for logging and centralized governance via AWS Firewall Manager and Security Hub.
  • Support for rules at layers 3 through 7, including deep packet inspection and domain filtering.
  • Scalability up to 100 Gbps per Availability Zone.
  • Deployment options for north-south and east-west traffic inspection.

Firewall Rules and Suricata

• Network Firewall policies contain two broad categories of rule groups: stateful and stateless.
• The presentation focuses on stateful rule groups, which take into account the direction of traffic and related packets.
• Within stateful rule groups, there are three types of rules:
  1. AWS Managed Rule Groups: Pre-configured rules provided by AWS for security coverage.
  2. Customer Managed Standard Rules: Rules defined via the UI, API, or CloudFormation.
  3. Suricata Compatible Rule Strings: Direct implementation of Suricata rules, providing maximum flexibility.

Challenges with Manual Suricata Rule Management

• Suricata rules require precise syntax, and even small mistakes can significantly impact firewall behavior.
• Reliance on a few Suricata experts to manage the rules creates a bottleneck.
• AWS Network Firewall is a subset of the full Suricata feature set, so not all existing Suricata rules may be compatible.
• Lack of a native versioning system in Network Firewall makes it difficult to roll back changes.
• Errors during direct rule uploads to Network Firewall can be difficult to troubleshoot.

Automated Solution

• The speaker's organization implemented an automated pipeline to transform Suricata rule generation from an expert-only process into a repeatable, testable, and scalable solution.
• Key components of the pipeline:
  1. Users upload a CSV file with rule requirements to a Git repository, which pushes the input to a versioned S3 bucket.
  2. A Lambda function generates the correct Suricata syntax based on the CSV inputs, handling tasks like translating VPC IDs and enforcing logging rules.
  3. A second validation Lambda checks the generated rules for syntax errors and validates the rule group length against the Network Firewall configuration.
  4. The validated rules are then automatically deployed to the Network Firewall device.
• The pipeline blends the ease of use of AWS Managed solutions with the precision and flexibility of custom Suricata rules.

Benefits of the Automated Solution

• Faster iteration and fewer errors by automating the rule generation and validation process.
• Improved safety and transparency through versioning, error handling, and event-driven automation.
• Reduced operational overhead by enabling teams to manage large, complex rule sets without specialized Suricata expertise.
• Ability to quickly respond to threats and update firewall rules without increasing the operational burden.

Conclusion

• The automated Suricata rule management pipeline enables the organization to fully leverage the capabilities of AWS Network Firewall while improving the safety, scalability, and maintainability of their firewall rules.
• The solution transforms Suricata rule management from an expert-only process to a self-service, repeatable, and transparent workflow.