AWS Firewall Manager Documentation

AWS Firewall Manager is a security management service that enables you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. Firewall Manager is designed to help you bring new applications and resources into compliance by enforcing a common set of security rules. Firewall Manager can be used to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your accounts, from a central administrator account.

You can use AWS Firewall Manager to roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. You can use AWS Firewall Manager to create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. You can also configure new Amazon Virtual Private Cloud (VPC) security groups and audit existing VPC security groups for your Amazon EC2, Application Load Balancer (ALB) and ENI resource types. You can deploy AWS Network Firewalls across accounts and VPCs in your organization. You can also use AWS Firewall Manager to associate your VPCs with Amazon Route 53 Resolver DNS Firewall rules.

Centrally deploy AWS Network Firewall across VPCs

Using Firewall Manager, you can deploy firewall rules for AWS Network Firewall to control traffic leaving and entering your network across accounts and Amazon VPCs, from a single place. Changes to the centrally configured set of rules are deployed to your accounts and VPCs. Firewall Manager also reports non-compliant issues, including VPCs and accounts that are missing Network Firewall protections.

Deploy Amazon VPC security groups, AWS WAF rules, AWS Shield Advanced protections, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules

You can enforce policies on AWS resources that currently exist or that are created in the future. AWS Firewall Manager gives customers the ability to apply AWS WAF rules, as well as Managed Rules for AWS WAF, on Application Load Balancers, API Gateways and Amazon CloudFront accounts. You can apply AWS Shield Advanced protections on Application or Classic Load Balancers, Elastic IP addresses or CloudFront distributions. Similarly, you can use AWS Firewall Manager to create a common primary security group across your EC2 instances in your VPC. With Firewall Manager, you can deploy Network Firewall endpoints and associated rules for your VPCs. Firewall Manager also lets you associate your VPCs with Route 53 Resolver DNS Firewall rules. You can choose to enforce the rule on a newly created resource by default, or you can choose to be notified when the new resource is created.

Multi-account resource groups

Within AWS Firewall Manager, you are able to group resources by Account, by Resource Type, and by Tag. You can create policies for all resources within a particular group or across accounts in the organization.

Cross-account protection policies

AWS Firewall Manager is integrated with AWS Organizations and will fetch the list of accounts in your AWS organization to enable you to group resources across accounts. You can build protection policies, which define a group of resources and associate the group with your policy. You can also specify the scope of the policy to cover a specific set of AWS accounts or all of your Organizations’ accounts. Firewall Manager will deploy the protections only on the resources in the accounts based on the scope of the policy.

Hierarchical rule enforcement

AWS Firewall Manager enables you to apply protection policies in a hierarchical manner, so you can delegate the creation of application-specific rules while retaining the ability to enforce certain rules centrally. Centrally applied rules are monitored for accidental removal or mishandling.  

Dashboard with compliance notifications

AWS Firewall Manager provides a visual dashboard where you can view which AWS resources are protected, identify non-compliant resources, and take appropriate action. You can also get notified when there are changes to your configurations through SNS notification streams. 

Audit existing and future security groups in your VPCs

With AWS Firewall Manager, you can create policies to set guardrails that define what security groups are allowed/disallowed across your VPCs. AWS Firewall Manager monitors security groups to detect overly permissive rules and helps improve firewall posture. You can get notifications of accounts and resources that are non-compliant or allow AWS Firewall Manager to take action directly through auto-remediation.  

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.