Overview
The Automations for AWS Firewall Manager solution allows you to centrally configure, manage, and audit firewall rules across all your accounts and resources in AWS Organizations. This solution is a reference implementation to automate the process to set up AWS Firewall Manager security policies.
This solution provides preconfigured rules that can be deployed across AWS Organizations to complete the following:
- Configure application-level firewalls for AWS WAF.
- Audit unused and overly permissive Amazon Virtual Private Cloud (Amazon VPC) security groups.
- Configure domain name system (DNS) firewall to block queries for bad domains.
This solution helps you to create a quick baseline of firewall security rules across Layers 3-7 resources and maintain a consistent security posture within their organization. Additionally, this solution deploys Shield Advanced policies for customers who subscribe to AWS Shield Advanced, to protect against Distributed Denial of Service (DDoS) attacks to their AWS accounts.
Note: You can use this solution if you already use Firewall Manager in your organization; however, you must install the solution in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the Implementation Guide for the steps.
Benefits
Easily configure and audit WAF, DNS, and Security Group rules in your multi-account AWS environments using AWS Firewall Manager.
Leverage this solution to install the prerequisites needed to use Firewall Manager, so you can spend more time focusing on your specific security needs.
Leverage your AWS Shield Advanced subscription to deploy DDoS protection across accounts in AWS Organizations.
Technical details
The AWS CloudFormation template deploys an architecture that can be grouped into two separate workflows: Policy manager and Compliance report generator.
Step 1 (Policy manager)
An AWS Systems Manager Parameter Store containing three parameters: /FMS/OUs, /FMS/Regions, and /FMS/Tags. Update these parameters using Systems Manager.
Step 2 (Policy manager)
An Amazon EventBridge rule uses an event pattern to capture the System Manager parameter update event.
Step 3 (Policy manager)
An Amazon EventBridge rule invokes an AWS Lambda function.
Step 4 (Policy manager)
The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to AWS Shield Advanced, this solution deploys Advanced policies to protect against Distributed Denial of Service (DDoS) attacks.
Step 5 (Policy manager)
The PolicyManager Lambda function fetches the policy manifest file from the Amazon Simple Storage Service (Amazon S3) bucket and uses the manifest file to create AWS Firewall Manager security policies.
Step 6 (Policy manager)
AWS Lambda saves policies metadata in the Amazon DynamoDB table. For a complete list of policies and rule sets that are installed and information about the recommended policy default results and where they are contained.
Step 1 (Compliance report generator)
A time-based Amazon EventBridge rule invokes the Compliance Generator Lambda function.
Step 2 (Compliance report generator)
The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the Amazon SNS topic.
Step 3 (Compliance report generator)
The Amazon SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.
Step 4 (Compliance report generator)
The compliance generator generates a compliance report for each of the policies and uploads the report in CSV format in an Amazon S3 bucket.
Step 1 (Policy manager)
An AWS Systems Manager Parameter Store containing three parameters: /FMS/OUs, /FMS/Regions, and /FMS/Tags. Update these parameters using Systems Manager.
Step 2 (Policy manager)
An Amazon EventBridge rule uses an event pattern to capture the System Manager parameter update event.
Step 3 (Policy manager)
An Amazon EventBridge rule invokes an AWS Lambda function.
Step 4 (Policy manager)
The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to AWS Shield Advanced, this solution deploys Advanced policies to protect against Distributed Denial of Service (DDoS) attacks.
Step 5 (Policy manager)
The PolicyManager Lambda function fetches the policy manifest file from the Amazon Simple Storage Service (Amazon S3) bucket and uses the manifest file to create AWS Firewall Manager security policies.
Step 6 (Policy manager)
AWS Lambda saves policies metadata in the Amazon DynamoDB table. For a complete list of policies and rule sets that are installed and information about the recommended policy default results and where they are contained.
Step 1 (Compliance report generator)
A time-based Amazon EventBridge rule invokes the Compliance Generator Lambda function.
Step 2 (Compliance report generator)
The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the Amazon SNS topic.
Step 3 (Compliance report generator)
The Amazon SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.
Step 4 (Compliance report generator)
The compliance generator generates a compliance report for each of the policies and uploads the report in CSV format in an Amazon S3 bucket.
Related content
This course provides an overview of AWS security technology, use cases, benefits, and services. The infrastructure protection section covers AWS WAF for traffic filtering.
This course introduces you to AWS Organizations, the service that offers policy-based management for multiple AWS accounts. We discuss key features and terminology, review how access and use the service, and provide a demonstration.
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.