What Changed
Critical bugfix in AWS Network Firewall connector deployment logic that was causing duplicate data collector creation when dynamic stream names were configured.
Security Impact (Visibility & Fidelity)
Pre-Fix Data Processing Issue: The connector was creating separate collector resources for each log stream (Alert, Flow, TLS), causing deployment conflicts and potential data ingestion failures. This resulted in:
- Failed connector deployments due to resource naming conflicts
- Inconsistent data collection across Network Firewall log types
- Administrative overhead managing multiple collectors for a single data source
Post-Fix Behaviour: Single parameterised connector with conditional logic that dynamically routes data to correct destination tables based on stream type:
- Alert logs → AWSNetworkFirewallAlert table
- Flow logs → AWSNetworkFirewallFlow table
- TLS logs → AWSNetworkFirewallTls table
Technical Fix Details
Connector Resource Changes:
- Consolidated three separate collector definitions into one parameterised resource
- Added conditional ARM template logic for dynamic destination table selection
- Updated PowerShell deployment tooling to handle dynamic stream name mappings
Build Tool Improvements: Enhanced createCCPConnector.ps1 to generate proper conditional logic for multi-stream connectors, preventing future occurrence of this deployment pattern bug in other AWS solutions.
This fix ensures reliable AWS Network Firewall data collection deployment and eliminates a critical failure mode affecting network security monitoring capability.
Affected Files
Solutions/Amazon Web Services NetworkFirewall/Data Connectors/AWSNetworkFirewallLogs_CCP/AWSNetworkFirewallLog_PollingConfig.json
Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1
Tools/Create-Azure-Sentinel-Solution/common/get-ccp-details.ps1
(packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_AmazonWebServices.json, createUiDefinition.json, mainTemplate.json)