🦄 Making great presentations more accessible.
This project aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - Level up your AWS Network Firewall rules for maximum protection (SEC231)
In this video, Amish Shah, product manager for AWS Network Firewall Service, introduces new features that simplify security management. He presents Active Threat Defense, an AWS managed rule using Amazon Madpot infrastructure that updates every 10 minutes with curated threat intelligence. The major announcement is AWS Partner managed rules, enabling customers to deploy threat intelligence from seven partners—Checkpoint, Fortinet, Infoblox, Lumen, Rapid7, Trend Micro, and Threat Stop—directly through the Network Firewall console. These partner rules provide protections against CVEs, OWASP top 10 vulnerabilities, malware, ransomware, and compliance requirements like PCI DSS and OFAC sanctions. Shah emphasizes that these managed rules eliminate operational overhead by automatically updating without manual configuration, reducing security risks from misconfigurations while maintaining robust protection for ingress filtering, egress filtering, and VPC-to-VPC security use cases.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introduction to AWS Network Firewall: Addressing Customer Security Challenges
Hello everyone. How are you all doing? Good. Day one, reinvent, we are back. So last year when I was here at Greenvent, many of you actually asked how can we stay ahead of emerging threats. You asked for simpler security without compromising on protections. But there's always this thin margin because if you oversimplify, you can potentially increase security risk because one misrule on your firewall policy can make your network vulnerable. And this is the challenge that our customers face on a daily basis. You asked for protections that are dynamic. We heard and worked backwards from there. And today, we are going to talk about some of the new features in AWS Network Firewall that helps you keep your workload secure without adding additional complexity or network overhead.
My name is Amish Shah. I'm the product manager for AWS Network Firewall Service, and I'll be touching on some of these new capabilities that keeps your workload secure within your VPC and help you maintain compliance and business requirements. Before diving deep into what we have launched, I just wanted to give a brief overview of AWS Network Firewall.
AWS Network Firewall allows you to easily deploy essential network protections on your VPC workloads. It is a fully managed firewall service, which means you don't have to worry about deploying the firewall infrastructure or the ongoing software upgrades on the firewall appliances. They are done dynamically for you. It is highly reliable and scalable. You get up to 100 gigabits per second per availability zone within the firewall. It also offers a built-in stateful inspection engine. So you can write rules based on IP addresses, applications, fully qualified domain names. You can even write custom rules to match against specific types of TCP headers. All these capabilities are available to you natively within network firewall, and it is fully integrated with firewall manager service.
So you can deploy consistent security across all your VPCs across all your AWS accounts using the firewall manager service. Let's look at some of the common use cases where customers use AWS Network Firewall. Starting with ingress filtering, this is where customers like to prevent intrusion using stateful inspection capabilities, protocol detection, and IDS IPS capabilities. Then we have egress filtering. This is one of our most common use cases where customers have workloads that are trying to reach out to the internet, either talking to GitHub. Once you allow those connections, it can potentially open a back channel for an attacker to add malware and exfiltrate data.
Network Firewall monitors these outbound connections and helps you protect any connections with the command and control centers. So you can apply policies such that your workloads can only talk to authorized destinations. This is a very common use case for our regulated customers. And finally, VPC to VPC security or east-west protections. Here, customers want to prevent lateral movement of traffic and create logical boundaries between their VPC workloads. This is very common in regulated industries like banking and financial services. So depending on your use cases, you create your network firewall policy and write rules to protect traffic.
Enhanced Threat Intelligence: Active Threat Defense and AWS Partner Managed Rules
But writing rules and managing them at scale is one of the key challenges that we have heard from you. And that's where we have launched a bunch of simplifications that gives you that protection that you need without adding operational overhead on your teams. So I want to talk about some of the enhancements in the threat intelligence area that you get from AWS Network Firewall. First, I want to talk about active threat defense. This is an AWS managed rule that is available to you on AWS Network Firewall. The threat intelligence is generated using the Amazon Madpot infrastructure. Madpot is our global fleet of digital decoys or honeypots.
They appear to an outsider as a vulnerable AWS service. An attacker will then try to exploit that vulnerability. We use this to understand the tactics, techniques, and procedures used by attackers, and then curate rules based on that threat intelligence. Madpot threat intelligence is today used to protect AWS infrastructure globally, but you asked us to leverage that unique infrastructure and threat intelligence to protect your own workloads. Active threat defense is our response to that.
Using active threat defense, you get curated rules from AWS security experts that contain indicators of compromise and signatures for active threats. We constantly update these rules every 10 minutes so that if there are active attacks, those rules are already in your network firewall policy. If attacks are no longer active, those rules are cleaned up, so you always get up-to-date rule sets. It is centrally integrated with Guard Duty, so if you are using Guard Duty, you get central visibility into emerging and active threats.
Finally, the rules are constantly updated, so you don't have to worry about writing those rules or writing a custom Lambda-based solution to keep these rules up to date. Beyond active threat defense, I'm excited to announce the availability of AWS Partner managed rules on AWS Network Firewalls. This new enhancement allows you to easily leverage threat intelligence from AWS Marketplace partners such as Checkpoint, Fortinet, Infoblox, Lumen, Rapid7, Trend Micro, and Threat Stop.
Why does this matter? Now, as a customer, you get threat intelligence from top AWS Marketplace partners directly with just a few clicks, and you can use them on AWS Network Firewall to secure inbound and outbound traffic from your VPCs. These rules are constantly updated by our partners, so you always get proactive protection against emerging and active threats. Finally, these are deployed in minutes. You don't have to figure out how to bring in third-party threat intelligence and build your own solution. They are natively available to you from the Network Firewall console.
This was one of the most sought-after requests from many of our customers. While AWS offered AWS managed rules, which are free of charge, and you had the ability to bring in third-party threat intelligence to Network Firewall, you wanted us to make it simpler. With this launch, we are making that process simpler where you can easily add the partner managed rules from the Network Firewall console to your Network Firewall policy.
You can now see all the list of available rule groups, what each of these rule groups does, and you can subscribe to these rule groups. Then you add them to your Network Firewall policy, all from the console itself. You don't have to do back and forth between the Marketplace and Network Firewall or the third-party platforms. These managed rules are constantly updated by our partners. We have seven partners as part of the launch announcement.
You always get proactive protection, you get the best-of-breed threat intelligence, and you choose the rule sets that are important for your business case. We have carefully selected these partners based on their expertise and their proven track record. Let's look into some details on what each of these partners brings with their threat intelligence on Network Firewall.
Partner Solutions Overview: From Checkpoint to Threat Stop and Best Practice Guidelines
Checkpoint Software is one of the global leaders in cybersecurity. They provide a wide range of security solutions to government and businesses. If you remember, they pioneered stateful firewalls. Now they offer AI-driven, cloud-delivered security solutions. The Checkpoint managed rules for Network Firewalls are expertly curated rules from Checkpoint's cloud AI experts.
These rules enhance protections against hundreds of common vulnerabilities and exposures, CVEs. They also have curated rules to protect your workload from OWASP top 10 vulnerabilities. You always get holistic coverage across different types of exposures and vulnerabilities without having to manually manage these rule sets.
Next, we have Fortinet. Fortinet is one of the global cybersecurity leaders and a trusted name in the next-generation firewall space. They are bringing their AI-driven threat intelligence natively into AWS Network Firewall. The Fortinet managed IPS rules for AWS Network Firewall offer protections from malware and command and control threats. You get proactive security before any breach can occur in your network because Fortinet will constantly update these rules.
They are offering these managed rules based on their AI-driven threat intelligence, which is currently serving hundreds of thousands of Fortinet customers worldwide. You are now directly getting that same threat intelligence for your AWS workloads. These are coming from Fortinet Guard Labs. As a customer, it takes just a few clicks to get the managed rule sets from Fortinet. If you are using them on your on-premises deployments and are migrating to cloud, you can continue using the same threat intelligence from Fortinet on your AWS Network Firewall solution.
Additionally, they help you maintain compliance using AWS best practices. The 148 IPS rules provide PCI DSS compliance and other compliance requirements that require inline inspection for regulated workloads. Next, we have Infoblox. Infoblox unites networking, security, and cloud with their protective DDI platform that gives enterprise resiliency and agility. Trusted by 13,000 plus customers, including the majority of Fortune 100 companies and emerging innovators, they easily offer security and automate critical networking services for these customers.
Customers don't have to worry about deploying these services. They can move fast without worrying about compromises. The Infoblox managed rule for AWS Network Firewall is powered by their predictive DNS threat intelligence. At Infoblox scale, 70 billion DNS queries are analyzed every day, 4 million plus IOCs are detected every month, 90 percent of detection happens pre-DNS query, and there is a 0.0002 percent false positive rate. You get high-impact rules with low noise, easily available within your Network Firewall policy.
This is one of the managed rules that I'm very excited about because you can easily block newly registered domains, for example, or domains that are known to be high risk by just a single click by enabling this rule set in your Network Firewall policy. Then we have Lumen. Lumen is a global communications service provider that offers a variety of networking and security services across different customers. Their Defender managed rules for Network Firewall bring proactive Black Lotus Labs threat intelligence directly into your AWS environments. Black Lotus Labs identifies and neutralizes dangerous emerging attacks based on the information they have from their global backbone network. These rules are also available natively in the Network Firewall console.
Then we have Rapid7. They are one of the leaders in the threat detection and response space. They offer products such as vulnerability risk management, active persistent threats, and MDR capabilities that offer different types of protections against active threats.
They provide two main categories: active persistent threats, where you have protections against state-sponsored sophisticated threat actors, and the second category is ransomware and cybercrime, which are threats motivated by financial gains. You have protections against APT threats as well as ransomware threats using Rapid7's threat intelligence rules.
Trend Micro is another global company in the cybersecurity space and one of the leaders. They are bringing their threat intelligence, which is the Trend Zero Day Initiative, or ZDI, directly into AWS Network Firewall. With Trend Micro, you now get a simplified cloud IPS solution on network firewall. Trend Micro's threat managed rules protect your workloads from malware, active CVEs, as well as emerging threats.
The key theme here is that you now have all these curated lists of managed rules which you can quickly select and apply to your network firewall policy directly from the console itself. You don't have to worry about constantly updating your firewall rules because these are done dynamically for you. You don't have to worry about any misconfigurations which can potentially create a security risk to your networks.
Finally, we have Threat Stop, which is also a cloud-based threat intelligence platform company. They specialize in automating threats into security policies by looking at threat data and converting them into rules which are then enforced on your routers, firewalls, DNS servers, and endpoints. Threat Stop not only prevents your workloads from malware, phishing, and active threats, but they also specialize in offering curated rules for OFAC and ITAR sanctions. If you are worried about OFAC sanctions, you can now quickly use these managed rules from Threat Stop and meet your compliance requirements from these sanctions.
This brings us to the end of our session. I want to give you generic guidelines on how you should think about your network firewall policy. Typically, it's a combination of an allow list and a denial list of rules. To help you create that denial list, we have managed rules both from AWS as well as from our partners that you can now easily apply to your policy.
You can use other features like GeoIP filtering to block traffic going to certain countries. You can use stateful inspection and threat signature rules on network firewall. That's how you create your denial list. Then you can start with a generous allow list where you can allow certain trusted high-level top-level domains. Eventually, work towards building a narrow allow list of your trusted destinations. We have some features that can help you build that allow list.
If you'd like to learn more about partner managed rules, we have a blog published that goes into more details and gives you all the configuration steps that you need to know. If you want to learn anything about AWS Network Firewall, talk to your account team. They can always schedule a call with us where we can talk about best practices, how you can optimize your architecture, optimize cost, as well as discuss the roadmap.
With that, thank you so much for your time, and I hope you have a good rest of your day.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)