What is AWS Firewall Manager?
AWS Firewall Manager is a security management tool that makes it easier for you to configure your AWS WAF rules across your accounts. With Firewall Manager, security administrators of large organizations can write company-wide rules from one place, enforce them across applications protected by AWS WAF, and get the central visibility of attacks against your Application Load Balancers and Amazon CloudFront infrastructure.
What are the key benefits of AWS Firewall Manager?
AWS Firewall Manager is integrated with AWS Organizations so you can enable AWS WAF across multiple AWS accounts and resources from a single place. AWS Firewall Manager monitors for new resources or accounts created to ensure they comply with a mandatory set of security policies from day one. You now have a single place to quickly respond to incidents, for example, by blocking an IP address or applying a CVE patch update. With AWS Firewall Manager, your security team can be notified of threats to the organization so they can respond and rapidly mitigate an attack. Finally, AWS Firewall Manager also integrates with Managed Rules for AWS WAF, which gives you an easy way to deploy pre-configured WAF rules in front of your applications.
Does AWS Firewall Manager configure VPC Security Groups or Network ACLs?
Yes, AWS Firewall Manager does support configuration of VPC Security Groups. However, it does not support Network ACLs today.
Enabling AWS Firewall Manager
What are the prerequisites for AWS Firewall Manager?
There are three pre-requisites to use AWS Firewall Manager.
- AWS Organizations - Your accounts must be part of AWS Organizations and have enabled all features. See AWS Organizations documentation for more details.
- Set the AWS Firewall Manager Administrator Account - Firewall Manager must be associated with the master account of your AWS organization or associated with a member account that has the appropriate permissions. The account that you associate with Firewall Manager is called the Firewall Manager administrator account. See the documentation guide for more information.
- Enable AWS Config on accounts - Enable AWS Config for each member account in your organization. See AWS Config documentation.
How do I use AWS Firewall Manager?
- First, complete the prerequisites mentioned above.
- Second, create a custom Rule Group, or subscribe to a Managed Rule Group provided by a Marketplace vendor via Managed Rules for AWS WAF.
- Third, specify the Firewall Manager policy scope by choosing the resource type and, optionally, choosing Tags.
- Finally, you can review and create the policy. Firewall Manager will automatically apply the WAF rule group to all resources across accounts, and once complete, Firewall Manager also shows a compliance dashboard that indicates which accounts/resources are compliant and which ones are not.
Can I create a Firewall Manager policy but not remediate automatically?
Yes, you can configure a Firewall Manager policy in two modes –
- Automatic remediation, which allows you to automatically monitor for drift in policy and apply rules on non-compliant resources
- Manual remediation, which creates a new policy and the associated WAF rule groups in each account but does not enforce the rules on the resources in the account. After the policy is created with manual remediation, you can choose to take manual action from each local account owner, or at any point you can edit the policy to automatically remediate.
How many accounts can AWS Firewall Manager manage?
Each Firewall Manager policy can configure WAF rules on up to 2,500 accounts, which is the default limit for number of accounts in AWS Organizations.
How many resources can AWS Firewall Manager manage?
There is not a limit on the number of resources managed by Firewall Manager at this time.
Can I create protection policies across regions?
No, AWS Firewall Manager protection policies are region specific. Each Firewall Manager policy can only include resources available in that specified AWS Region. You can create a new policy for each region where you operate.
Can I exclude accounts or resources from the scope of the policy?
Yes. You can use Tags to specify the resources that should be excluded from the policy scope.
Dashboard and Visibility
How can I view the compliance status to a particular policy?
With Firewall Manager you can quickly view the compliance status for each policy by looking at how many accounts are included in the scope of the policy and how many out of those are compliant. Further, for each policy configured on Firewall Manager, you get a compliance dashboard. The central compliance dashboard allows you to view which accounts are non-compliant to a given policy, which specific resources are non-compliant, and also provides information about the reason why a particular resource is not compliant.
Does AWS Firewall Manager provide notifications when a resource is non-compliant?
Yes, you can create new SNS notification channels to receive real-time notifications when new non-compliant resources are discovered.
How can I view all threats across my organization?
For each Firewall Manager policy created, you can aggregate CloudWatch metrics for each Rule in the Rule Group, indicating how many requests were allowed or blocked across the entire organization. This gives you a central place to set up alerts for threats across your organization.