What does this AWS Solutions Implementation do?
The AWS Centralized WAF and VPC Security Group Management solution allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to setup AWS Firewall Manager security policies.
This solution provides pre-configured rules that can be deployed across accounts to (1) configure application-level firewalls for Web Application Firewall (WAF) and (2) audit unused and overly permissive virtual private cloud (VPC) security groups. It allows you to automatically enable the prerequisites required to use Firewall Manager, so you can spend more time focusing on your specific security needs.
This solution helps AWS enterprise customers create a quick baseline of firewall security rules across Layers 3-7 resources and maintain a consistent security posture within their organization. Additionally, this solution deploys Shield Advanced policies for customers who subscribe to AWS Shield Advanced, to protect against Distributed Denial of Service (DDoS) attacks to their AWS accounts.
Note: This solution must be installed in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the Implementation Guide for the steps.
AWS Solutions Implementation overview
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

AWS Centralized WAF and VPC Security Group Management solution architecture
When the AWS CloudFormation template deploys, an AWS Systems Manager Parameter Store containing three parameters is created, each with default values. The parameters that are created include /FMS/OUs (organizational units), /FMS/Regions, and /FMS/Tags. You can update these parameters using Systems Manager. An Amazon EventBridge rule uses an event pattern to capture the System Manager parameter update event. An Amazon EventBridge rule invokes an AWS Lambda function. The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. The policies include a WAF Web Access Control List (ACL) consisting of AWS managed rule sets and VPC security group audit policies. Additionally, if you have a subscription to AWS Shield Advanced, this solution deploys Shield Advanced policies to protect against DDoS attacks. AWS Lambda saves policies metadata in the Amazon DynamoDB table.
AWS Centralized WAF and VPC Security Group Management
Version 1.0.0
Last updated: 09/2020
Author: AWS
Estimated deployment time: 3 min
Deployment resources
Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.
Features
Easily configure WAF and Security Group audit rules in your AWS Organizations accounts
Deploy DDoS protection across accounts
Automate AWS Firewall Manager installation

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Find AWS certified consulting and technology partners to help you get started.

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.