Overview
Automations for AWS Firewall Manager allows you to centrally configure, manage, and audit firewall rules across all your AWS Organizations accounts and resources in an automated way. By using this AWS Solution, you can maintain a consistent security posture across your organization.
This solution provides preset rules to configure application-level firewalls for AWS WAF, audit unused and overly permissive Amazon Virtual Private Cloud (Amazon VPC) security groups, and set up a DNS firewall to block queries for bad domains.
This solution optionally helps you create a quick baseline of firewall security rules and protect against distributed denial of service (DDoS) attacks through integration with AWS Shield Advanced. You can also automate proactive event response and health-based detection with this capability.
Note: You can use this solution if you already use Firewall Manager in your organization; however, you must install the solution in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the implementation guide for the steps.
Benefits
Easily configure and audit AWS WAF, DNS, and security group rules in your multi-account AWS environments using AWS Firewall Manager.
Leverage this solution to install the prerequisites needed to use Firewall Manager, so you can spend more time focusing on your specific security needs.
Leverage your AWS Shield Advanced subscription to deploy DDoS protection across accounts in AWS Organizations, set up health checks, and enable proactive event response from the Shield Response Team.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
The solution includes two architectures that show the primary stack and an optional stack with Shield Advanced features. Deploying all of the solution’s stacks with the default parameters deploys the following components in your AWS account.
-
Primary Stack
-
Optional stacks with automations for Shield Advanced
-
Primary Stack
-
Click to enlarge
Step 1: Policy manager
Parameter Store, a capability of AWS Systems Manager, contains three parameters: /FMS/OUs, /FMS/Regions, and /FMS/Tags. Update these parameters using Systems Manager.
Step 2
An Amazon EventBridge rule uses an event pattern to capture the Systems Manager parameter update event.Step 3
An EventBridge rule invokes an AWS Lambda function.Step 4
The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to AWS Shield, this solution deploys Advanced policies to protect against DDoS attacks.
Step 5
The PolicyManager Lambda function fetches the policy manifest file from the Amazon Simple Storage Service (Amazon S3) bucket and uses the manifest file to create Firewall Manager security policies.Step 6: Compliance report generator
Lambda saves policies metadata in the Amazon DynamoDB table.Step 7
A time-based EventBridge rule invokes the Compliance Generator Lambda function.Step 8
The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the Amazon Simple Notification Service (Amazon SNS) topic.Step 9
The Amazon SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.Step 10
The ComplianceGenerator Lambda function generates a compliance report for each of the policies and uploads the report in CSV format in an S3 bucket.Step 1: Policy manager
Parameter Store, a capability of AWS Systems Manager, contains three parameters: /FMS/OUs, /FMS/Regions, and /FMS/Tags. Update these parameters using Systems Manager.
Step 2
An Amazon EventBridge rule uses an event pattern to capture the Systems Manager parameter update event.Step 3
An EventBridge rule invokes an AWS Lambda function.Step 4
The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to AWS Shield, this solution deploys Advanced policies to protect against DDoS attacks.
Step 5
The PolicyManager Lambda function fetches the policy manifest file from the Amazon Simple Storage Service (Amazon S3) bucket and uses the manifest file to create Firewall Manager security policies.Step 6: Compliance report generator
Lambda saves policies metadata in the Amazon DynamoDB table.Step 7
A time-based EventBridge rule invokes the Compliance Generator Lambda function.Step 8
The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the Amazon Simple Notification Service (Amazon SNS) topic.Step 9
The Amazon SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.Step 10
The ComplianceGenerator Lambda function generates a compliance report for each of the policies and uploads the report in CSV format in an S3 bucket. -
Optional stacks with automations for Shield Advanced
-
Click to enlarge
Step 1: Policy manager
(Optional) Update the Parameter Store parameters created by the aws-fms-automations template with your desired values. The parameters that are created include /FMS/OUs, /FMS/Regions, and /FMS/Tags.
Step 2
An EventBridge rule uses an event pattern to capture Systems Manager parameter update and S3 upload events.
Step 3
An EventBridge rule invokes a Lambda function.
Step 4
The Lambda function installs a set of predefined Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to Shield, this solution deploys Advanced policies to protect against DDoS attacks.Step 5
The PolicyManager Lambda function fetches the policy manifest file from the S3 bucket and uses the manifest file to create Firewall Manager security policies.
Step 6: Automated health-based detection
The organization AWS Config rule captures existing Shield Advanced protections across your AWS organization. You can create these Shield Advanced protections automatically through the Firewall Manager security policies deployed by this solution, or manually using the Shield console.
Step 7
Shield Advanced protections captured by the organization Config rule are sent to the ConfigRuleEval Lambda function for evaluation. This Lambda function determines whether or not the protection has Amazon Route 53 health checks associated with it.
Step 8
If there are no Route 53 health checks associated with the Shield Advanced protection, the solution publishes a message to the Amazon SQS queue requesting that health checks be created for the protection.Step 9
The ConfigRuleRemediate Lambda function reads messages from the Amazon SQS queue.Step 10
The ConfigRuleRemediate Lambda function creates a calculated Route 53 health check based on the type of resource that the Shield Advanced protection protects.Step 11
The ConfigRuleRemediate Lambda function associates the Route 53 health check created in Step 10 with the Shield Advanced protection being evaluated.
Step 1: Policy manager
(Optional) Update the Parameter Store parameters created by the aws-fms-automations template with your desired values. The parameters that are created include /FMS/OUs, /FMS/Regions, and /FMS/Tags.
Step 2
An EventBridge rule uses an event pattern to capture Systems Manager parameter update and S3 upload events.
Step 3
An EventBridge rule invokes a Lambda function.
Step 4
The Lambda function installs a set of predefined Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to Shield, this solution deploys Advanced policies to protect against DDoS attacks.Step 5
The PolicyManager Lambda function fetches the policy manifest file from the S3 bucket and uses the manifest file to create Firewall Manager security policies.
Step 6: Automated health-based detection
The organization AWS Config rule captures existing Shield Advanced protections across your AWS organization. You can create these Shield Advanced protections automatically through the Firewall Manager security policies deployed by this solution, or manually using the Shield console.
Step 7
Shield Advanced protections captured by the organization Config rule are sent to the ConfigRuleEval Lambda function for evaluation. This Lambda function determines whether or not the protection has Amazon Route 53 health checks associated with it.
Step 8
If there are no Route 53 health checks associated with the Shield Advanced protection, the solution publishes a message to the Amazon SQS queue requesting that health checks be created for the protection.Step 9
The ConfigRuleRemediate Lambda function reads messages from the Amazon SQS queue.Step 10
The ConfigRuleRemediate Lambda function creates a calculated Route 53 health check based on the type of resource that the Shield Advanced protection protects.Step 11
The ConfigRuleRemediate Lambda function associates the Route 53 health check created in Step 10 with the Shield Advanced protection being evaluated.
Related content
This course provides an overview of AWS security technology, use cases, benefits, and services. The infrastructure protection section covers AWS WAF for traffic filtering.
This course introduces you to AWS Organizations, the service that offers policy-based management for multiple AWS accounts. We discuss key features and terminology, review how access and use the service, and provide a demonstration.
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.
Was this page helpful?
- Publish Date