What does this AWS Solutions Implementation do?

The AWS Centralized WAF and VPC Security Group Management solution allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to setup AWS Firewall Manager security policies.

This solution provides pre-configured rules that can be deployed across accounts to (1) configure application-level firewalls for Web Application Firewall (WAF) and (2) audit unused and overly permissive virtual private cloud (VPC) security groups. It allows you to automatically enable the prerequisites required to use Firewall Manager, so you can spend more time focusing on your specific security needs.

This solution helps AWS enterprise customers create a quick baseline of firewall security rules across Layers 3-7 resources and maintain a consistent security posture within their organization. Additionally, this solution deploys Shield Advanced policies for customers who subscribe to AWS Shield Advanced, to protect against Distributed Denial of Service (DDoS) attacks to their AWS accounts.

Note: This solution must be installed in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the Implementation Guide for the steps.

AWS Solutions Implementation overview

The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

AWS Centralized WAF and VPC Security Group Management | Architecture Diagram
 Click to enlarge

AWS Centralized WAF and VPC Security Group Management solution architecture

When the AWS CloudFormation template deploys, an AWS Systems Manager Parameter Store containing three parameters is created, each with default values. The parameters that are created include /FMS/OUs (organizational units), /FMS/Regions, and /FMS/Tags. You can update these parameters using Systems Manager. An Amazon EventBridge rule uses an event pattern to capture the System Manager parameter update event. An Amazon EventBridge rule invokes an AWS Lambda function. The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. The policies include a WAF Web Access Control List (ACL) consisting of AWS managed rule sets and VPC security group audit policies. Additionally, if you have a subscription to AWS Shield Advanced, this solution deploys Shield Advanced policies to protect against DDoS attacks. AWS Lambda saves policies metadata in the Amazon DynamoDB table.

AWS Centralized WAF and VPC Security Group Management

Version 1.0.0
Last updated: 09/2020
Author: AWS

Estimated deployment time: 3 min

Use the button below to subscribe to solution updates.

Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.  

Did this Solutions Implementation help you?
Provide feedback 


Easily configure WAF and Security Group audit rules in your AWS Organizations accounts

Easily configure and audit WAF and Security Group audit rules in your multi-account AWS environments using AWS Firewall Manager.

Deploy DDoS protection across accounts

Leverage your AWS Shield Advanced subscription to deploy DDoS protection across accounts in AWS Organizations.

Automate AWS Firewall Manager installation

Leverage this solution to install the prerequisites needed to use AWS Firewall Manager.
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more