AWS Firewall Manager
Learn how to automate the protection of new resources using AWS Firewall Manager.
AWS Firewall Manager is a security management service that enables us to centrally configure and manage firewall rules across multiple AWS accounts and resources. It helps us to easily enforce security policies and compliance requirements for our organization’s AWS environment. Instead of setting up the policies for each security service in every account, we can set up a security policy at the organizational level that’ll be applicable across the whole organization.
Security services managed by AWS Firewall Manager
AWS Firewall Manager’s policies can be applied to various AWS security services and features, including:
AWS WAF (Web Application Firewall): We can use Firewall Manager policies to manage AWS WAF rules centrally across multiple accounts on resources such as Application Load Balancer, API Gateway, and CloudFront. This allows us to enforce consistent web application security policies, such as blocking malicious traffic and protecting against common web-based attacks.
AWS Shield Advanced: Firewall Manager policies can manage AWS Shield Advanced protections for Distributed Denial of Service (DDoS) attacks. We can centrally configure DDoS protection settings and mitigation strategies for our AWS resources.
VPC security groups: Firewall Manager enables us to manage security group rules for Amazon Virtual Private Cloud (VPC) instances. We can create rule groups containing common security rules and apply them to multiple security groups across our VPCs.
AWS Network Firewall: Firewall Manager integrates with AWS Network Firewall to manage firewall rules for protecting our VPC traffic. We can centrally configure and enforce network firewall policies to filter and monitor inbound and outbound traffic.
Security group policies for AWS Organizations: Firewall Manager allows us to create and enforce security group policies across all member accounts in our AWS Organization. This helps us to maintain consistent security configurations and compliance standards across our organization’s AWS environment.
How AWS Firewall Manager works
Some prerequisites must be met before we can start using the AWS Firewall Manager. These prerequisites are listed below:
Join and configure AWS Organizations: AWS Firewall Manager operates seamlessly within the AWS Organizations framework, allowing for centralized management of security policies across multiple AWS accounts. Before setting up Firewall Manager, it's necessary to join our AWS accounts into an organization and configure the organizational structure as needed.
Create an AWS Firewall Manager default administrator account: Within the organization, designate an AWS account as the default administrator account for AWS Firewall Manager. This account will have the necessary permissions to create and manage security policies across the organization.
Note: By default, the first administrator account of the organization is the default admininstrator account.
Enable AWS Config: AWS Config provides a detailed inventory of our AWS resources and configuration history, which is crucial for the AWS Firewall Manager to assess compliance and enforce security policies effectively. Ensure that AWS Config is enabled in all relevant AWS Regions.
Subscribe to and configure third-party policies: If we plan to use third-party security policies available in the AWS Marketplace, subscribe to the desired policies and configure the necessary settings according to our organization's security requirements.
Enable resource sharing for Network Firewall and DNS Firewall policies: For policies involving Network Firewall and DNS Firewall, enable resource sharing to allow the Firewall Manager to manage and enforce policies across multiple accounts and VPCs.
Enable AWS Firewall Manager in additional regions: By default, AWS Firewall Manager is enabled in specific AWS Regions. If we intend to use Firewall Manager in regions not enabled by default, ensure that it is activated in those regions to extend security policy management capabilities across our entire AWS environment.
AWS Firewall Manager security policies
After these prerequisites have been met, we need to define and create security policies using the AWS Firewall Manager console or API within AWS Firewall Manager. These policies are the cornerstone of our security posture, allowing us to specify the rules and settings that govern traffic behavior and protect our AWS resources from various threats. These policies can include AWS WAF rules, AWS Shield Advanced protections, VPC security group rules, and more. We’ll define the scope of each policy, specifying the accounts, resources, and AWS services to which it applies.
Best practices
Here are some best practices for effectively utilizing AWS Firewall Manager:
Centralized notification: Set up a centralized notification using Amazon SNS to monitor and protect the resources from attacks in all regions.
Dedicated account for security in the organization: We can set up the Firewall Manager to either the AWS root account or any other account with the appropriate permissions. However, it is advised to use a separate Security Tooling AWS account to operate Firewall Manager.
Granular vs. global WAF ACL rules: If we require more granular protection of the resource, then use the WAF ACL rule. Otherwise, the rules defined under Firewall Manager will apply to all new resources across the accounts.
Compliance: Define compliance-related rules in AWS Firewall Manager such that these rules are applied to all new resources created across all accounts in the Organization.
Get hands-on with 1300+ tech skills courses.