Posted On: Apr 1, 2021

AWS Firewall Manager now supports Amazon Route 53 Resolver DNS Firewall, making it easy for security administrators to identify the set of DNS Firewall rules they wish to use and deploy across their organization, from a central place. AWS recently launched Amazon Route 53 Resolver DNS Firewall, a managed firewall feature that enables customers to block DNS queries made for known malicious domains and to allow queries for trusted domains. DNS Firewall provides more granular control over the DNS querying behavior of resources within your Amazon Virtual Private Clouds (VPCs). Now that Firewall Manager supports DNS Firewall, you can identify the set of DNS Firewall rules you wish to use and deploy them across multiple accounts, organizational units (OUs), and VPCs, all from a single central security administrator account.

To get started, create or configure a Firewall Manager security policy from your Firewall Manager dedicated security administrator account. The security policy should specify one or more set of DNS Firewall rules (rule groups), in the order of priority of evaluation, along with the accounts, OUs, and VPCs in which you want to deploy the rule groups. Once configured, Firewall Manager will automatically create the DNS Firewall rules, allowing or denying DNS queries made for certain domains, in the accounts and VPCs you specified. Any changes you make to the rules as central administrator are automatically applied downstream on the associated accounts and VPCs. This feature enables you to consistently enforce centrally mandated DNS Firewall rules across your organization, even as new accounts and VPCs are created within the organization.

AWS Firewall Manager is a security management service that enables customers to centrally configure and manage firewall rules across their accounts and resources in AWS Organizations. To use Firewall Manager for DNS Firewall, customers must onboard their accounts to AWS Organizations, enable AWS Config and AWS Resource Access Manager (RAM) for all their accounts, and designate an account as the Firewall Manager administrator. Using Firewall Manager, customers can centrally deploy and manage AWS WAF rules, AWS Shield Advanced protections, VPC security groups, AWS Network Firewall rules, and now Amazon Route 53 Resolver DNS Firewall rules across their entire organization.

To get started, see AWS Firewall Manager documentation for more details and AWS Region Table for the list of regions where AWS Firewall Manager is currently available. To learn more about AWS Firewall Manager, its features and pricing, please visit the AWS Firewall Manager website.