Secure Amazon container workloads using container attribute-based rules in AWS Network Firewall

Organizations running containerized applications on Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon EC2 can now use AWS Network Firewall with container attribute-based rules to protect traffic flowing to and from their workloads.

This new capability enables security teams to write firewall rules based on container attributes such as pod labels, namespace, and service account — providing granular, identity-aware network segmentation for Kubernetes environments without requiring static IP addresses.

Key Features

  • Container-Aware Rules — Define firewall policies based on Kubernetes metadata (pod labels, namespaces, service accounts) rather than IP addresses
  • Automatic Rule Updates — Rules update dynamically as pods are created, destroyed, or scaled, eliminating manual rule management
  • Simplified Network Segmentation — Implement microsegmentation between application tiers using declarative, identity-based policies
  • Centralised Management — Manage firewall policies across multiple EKS clusters from a single AWS Network Firewall instance
  • Integration with AWS Organisations — Deploy consistent firewall policies across all accounts in your organisation

How It Works

AWS Network Firewall uses the VPC routing table to intercept traffic and applies stateful inspection rules. With container attribute-based rules, the firewall dynamically maps Kubernetes pod metadata to IP addresses, allowing you to write rules like “allow traffic from pods with label app=frontend to pods with label app=backend on port 443” without hardcoding IPs.

This approach significantly reduces the operational overhead of managing firewall rules in dynamic Kubernetes environments where pod IP addresses change frequently due to scaling, updates, and rescheduling.

Benefits for Security Teams

  • Reduced rule sprawl — fewer rules needed to achieve the same security posture
  • Faster incident response — clear mapping between network events and workload identity
  • Compliance alignment — easier to demonstrate network segmentation for PCI-DSS, HIPAA, and SOC 2
  • Zero-downtime policy changes — rules update as workloads change without manual intervention

This enhancement is available in all AWS Regions where AWS Network Firewall is supported. For more information, visit the AWS Network Firewall product page.