AWS Firewall Manager

What is AWS Firewall Manager?

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.

Key Benefits of AWS Firewall Manager

• Simplify management of firewall rules across your accounts
• Centrally deploy protections for your VPCs
• Ensure compliance of existing and new applications
• Easily deploy managed rules across accounts

AWS Firewall Manager features

• Centrally deploy AWS Network Firewall across VPCs
• Automatically deploy Amazon VPC security groups, AWS WAF rules, AWS Shield Advanced protections, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules
• Multi-account resource groups
• Cross-account protection policies
• Hierarchical rule enforcement
• Dashboard with compliance notifications
• Audit existing and future security groups in your VPCs

Prerequisites for AWS Firewall Manager

There are three mandatory pre-requisites and one optional pre-requisite to use AWS Firewall Manager.

• AWS Organizations - Your accounts must be part of AWS Organizations and have enabled all features.
• Set the AWS Firewall Manager Administrator Account - Firewall Manager must be associated with the management account of your AWS organization or associated with a member account that has the appropriate permissions. The account that you associate with
• Firewall Manager is called the Firewall Manager administrator account.
• Enable AWS Config on accounts - Enable AWS Config for each member account in your organization.
• Enable AWS Resource Access Manager (Optional) - To enable Firewall Manager to centrally configure AWS Network Firewalls or associate Amazon Route 53 Resolver DNS Firewall rules across accounts and VPCs, you must first enable sharing of resources using AWS Resource Access Manager.

How do I use AWS Firewall Manager?

• First, complete the prerequisites mentioned above.
• Second, create a policy type for AWS WAF, AWS Shield Advanced, VPC security group, AWS Network Firewall, or Amazon Route 53 Resolver DNS Firewall.
• Third, depending on the policy, specify the set of rules or protections. For example, for a policy for AWS WAF specify the rule groups (custom or managed) that you want to deploy across accounts. Similarly, for a VPC security group policy, reference the security group you want replicated in each resource within accounts. For AWS Network Firewall, specify the rule groups (stateful and stateless) that you want to deploy across VPCs in your accounts. For Amazon Route 53 Resolver DNS Firewall, specify the set of rules (rule groups) you want to associate with your VPCs in your accounts.
• Fourth, specify the scope of the policy by choosing the accounts, resource type and, optionally, resource tags, where you want the policy to be deployed.
• Finally, you can review and create the policy. Firewall Manager will automatically apply the rules and protections to all resources across accounts.

Once complete, Firewall Manager also shows a compliance dashboard indicating any accounts/resources that are non-compliant and those that are compliant.

Dashboard and Visibility

How can I view the compliance status to a particular policy?

With Firewall Manager you can quickly view the compliance status for each policy by looking at how many accounts are included in the scope of the policy and how many out of those are compliant. Further, for each policy configured on Firewall Manager, you get a compliance dashboard. The central compliance dashboard allows you to view which accounts are non-compliant to a given policy, which specific resources are non-compliant, and also provides information about the reason why a particular resource is not compliant. You can also view non-compliant events for each account on AWS Security Hub.

Does AWS Firewall Manager provide notifications when a resource is non-compliant?

Yes, you can create new SNS notification channels to receive real-time notifications when new non-compliant resources are discovered. Similarly, each account scoped as part of a Firewall Manager policy is notified for non-compliant events on AWS Security Hub.

How can I view all threats across my organization?

For each Firewall Manager policy created, you can aggregate CloudWatch metrics for each Rule in the Rule Group, indicating how many requests were allowed or blocked across the entire organization. This gives you a central place to set up alerts for threats across your organization.

New Feature

AWS Firewall Manager now supports AWS Shield Advanced automatic application layer DDoS mitigation

AWS Firewall Manager now enables you to centrally deploy AWS Shield Advanced automatic application layer (L7) DDoS protections across accounts in your organization. AWS Shield Advanced automatic L7 DDoS protections block application layer DDoS events with no manual intervention needed. With this launch, security administrators for AWS Firewall Manager can now enable automatic L7 DDoS protections across accounts using the Firewall Manager security policy for AWS Shield Advanced.

To get started, enable automatic L7 DDoS mitigation on a Firewall Manager Shield Advanced policy. A Shield-managed WAF rule group will then be added to a WAF web access control list (web ACL) for the resources under protection. Shield Advanced evaluates each WAF rule it creates against normal traffic into your resources to minimize false positives and deploys them in either count, allow, or block mode.

Hope you liked this Blog!

More to come on AWS Security!!