Overview
Automations for AWS Firewall Manager allows you to centrally configure, manage, and audit firewall rules across all your AWS Organizations accounts and resources in an automated way. By using this AWS Solution, you can maintain a consistent security posture across your organization.
This solution provides preset rules to configure application-level firewalls for AWS WAF, audit unused and overly permissive Amazon Virtual Private Cloud (Amazon VPC) security groups, and set up a DNS firewall to block queries for bad domains.
This solution also helps you create a quick baseline of firewall security rules and protect against distributed denial of service (DDoS) attacks through integration with AWS Shield Advanced.
Note: You can use this solution if you already use Firewall Manager in your organization; however, you must install the solution in your Firewall Manager admin account. If you have not already set up Firewall Manager, refer to the implementation guide for the steps.
Benefits
Easily configure and audit AWS WAF, DNS, and security group rules in your multi-account AWS environments using AWS Firewall Manager.
Leverage this solution to install the prerequisites needed to use Firewall Manager, so you can spend more time focusing on your specific security needs.
Leverage your AWS Shield Advanced subscription to deploy DDoS protection across accounts in AWS Organizations.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
The architecture can be broken down into two workflows: Policy manager and Compliance report generator.
Step 1
Parameter Store, a capability of AWS Systems Manager, contains three parameters: /FMS/OUs, /FMS/Regions, and /FMS/Tags. Update these parameters using Systems Manager.
Step 2
An Amazon EventBridge rule uses an event pattern to capture the Systems Manager parameter update event.
Step 3
An EventBridge rule invokes an AWS Lambda function.
Step 4
The Lambda function installs a set of predefined AWS Firewall Manager security policies across the user-specified OUs. Additionally, if you have a subscription to AWS Shield, this solution deploys Advanced policies to protect against Distributed Denial of Service (DDoS) attacks.
Step 5
The PolicyManager Lambda function fetches the policy manifest file from the Amazon Simple Storage Service (Amazon S3) bucket and uses the manifest file to create Firewall Manager security policies.
Step 6
Lambda saves policies metadata in the Amazon DynamoDB table.
Step 7
A time-based EventBridge rule invokes the Compliance Generator Lambda function.
Step 8
The Compliance Generator Lambda fetches Firewall Manager policies in each Region and publishes the list of policy IDs in the Amazon Simple Notification Service (Amazon SNS) topic.
Step 9
The Amazon SNS topic invokes the Compliance Generator Lambda function with the payload {PolicyId: string, Region: string}.
Step 10
The ComplianceGenerator Lambda function generates a compliance report for each of the policies and uploads the report in CSV format in an S3 bucket.
Related content
This course provides an overview of AWS security technology, use cases, benefits, and services. The infrastructure protection section covers AWS WAF for traffic filtering.
This course introduces you to AWS Organizations, the service that offers policy-based management for multiple AWS accounts. We discuss key features and terminology, review how access and use the service, and provide a demonstration.
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.
Was this page helpful?
- Publish Date