Automations for AWS Firewall Manager

What does this AWS Solution do?

The Automations for AWS Firewall Manager solution (successor to AWS Centralized WAF and VPC Security Group Management) allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to set up AWS Firewall Manager security policies.

This solution provides preconfigured rules that can be deployed across AWS Organizations to (1) configure application-level firewalls for Web Application Firewall (WAF), (2) audit unused and overly permissive virtual private cloud (VPC) security groups, (3) and configure DNS Firewall to block queries for bad domains. It allows you to automatically turn on the prerequisites required to use Firewall Manager, so you can spend more time focusing on your specific security needs.

This solution helps AWS enterprise customers create a quick baseline of firewall security rules across Layers 3-7 resources and maintain a consistent security posture within their organization. Additionally, this solution deploys Shield Advanced policies for customers who subscribe to AWS Shield Advanced, to protect against Distributed Denial of Service (DDoS) attacks to their AWS accounts.

Note: This solution must be installed in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the Implementation Guide for the steps.


Configure WAF, DNS, and Security Group policies

Easily configure and audit WAF, DNS, and Security Group rules in your multi-account AWS environments using AWS Firewall Manager.

Automate AWS Firewall Manager installation

Leverage this solution to install the prerequisites needed to use AWS Firewall Manager.

Deploy DDoS protection across accounts

Leverage your AWS Shield Advanced subscription to deploy DDoS protection across accounts in AWS Organizations.

AWS Solution overview

The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

Automations for AWS Firewall Manager architecture

The architecture can be grouped into two separate workflows: Policy manager and Compliance report generator.

Policy manager

When the AWS CloudFormation template deploys, an AWS Systems Manager Parameter Store containing three parameters is created, each with default values. The parameters that are created include /FMS/OUs, /FMS/Regions, and /FMS/Tags.

1. You can update these parameters using Systems Manager:      

  • For the /FMS/OUs parameter, add organizational unit IDs to apply policies and rule sets to multiple OUs.      
  • For the /FMS/Regions parameter, specify AWS Region names.
  • For the /FMS/Tags parameter, create inclusion and exclusion tags and add tags to specific resources within accounts to indicate resources for which policies and rule sets should be applied or not applied respectively. 

2. An Amazon EventBridge rule uses an event pattern to capture the System Manager parameter update event.

3. An Amazon EventBridge rule invokes an AWS Lambda function.

4. The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. The policies include an AWS WAF Web ACL consisting of AWS managed rule sets and VPC security group audit policies. Additionally, if you have a subscription to AWS Shield Advanced, this solution deploys Advanced policies to protect against Distributed Denial of Service (DDoS) attacks.

5. The PolicyManager Lambda function fetches the policy manifest file from the Amazon S3 bucket and uses the manifest file to create AWS Firewall Manager security policies.

6. AWS Lambda saves policies metadata in the Amazon DynamoDB table. For a complete list of policies and rule sets that are installed and information about the recommended policy default results and where they are contained.

Compliance report generator

When the CloudFormation stack deploys, it creates a time-based Amazon CloudWatch Events rule, a Lambda function, a SNS topic, and an Amazon S3 bucket.

1. A time-based Amazon EventBridge rule invokes the Compliance Generator Lambda function.

2. The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the SNS topic.

3. The SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.

4. The compliance generator generates a compliance report for each of the policies and uploads the report in CSV format in an S3 bucket.

Automations for AWS Firewall Manager

Version 2.0.3
Last updated: 12/2022
Author: AWS

Estimated deployment time: 3 min

Use the button below to subscribe to solution updates.

Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.  

Did this Solutions Implementation help you?
Provide feedback 
Build icon
Deploy an AWS Solution yourself

Browse our library of AWS Solutions to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an AWS Partner Solution

Find AWS Partners to help you get started.

Explore icon
Explore Guidance

Find prescriptive architectural diagrams, sample code, and technical content for common use cases.

Learn more