AWS Firewall Manager

Getting familiar with the AWS Firewall Manager service

Firewall Manager is a security management service that allows us to configure Firewall rules across AWS applications and accounts that are within an organization’s AWS Organization.

When an application is deployed, security rules are established by the Firewall Manager, which are imposed and protected based on the underlying rules. Thereby, make sure that the resources (eg Security Group) infringing will be checked and removed automatically.

It is a central service that includes features such as creating security policies, imposing them, and automatically scanning the resources of a large system throughout.

The capabilities that Firewall Manager provides to Security Groups fall into three main categories:

  1. Initialize and apply basic security to the Security Group.
  2. Review and clean up duplicate and unused Security Groups.
  3. Identify any Security Group regulatory definitions that are too open and high-risk.

firewall-manager-architecture

Content

Prerequisites

To be able to prepare and activate AWS Firewall Manager, for the first time using this service, we need to perform the following steps in turn:

  1. Set up AWS Organizations.
  2. Configure the Firewall Manager Administrator account.
  3. Enable AWS Config service.
  4. Enable Resource Sharing (For Network Firewall Policies)

Learn more about AWS Firewall Manager Prerequisites.

Setting up AWS Organizations

If your AWS account is already a member of AWS Organization, you can move on to the next step. If not, you will need to proceed with the AWS Organization setup.

ec2-security-groups

Learn more about Creating & Managing AWS Organizations.

Configure the Firewall Manager Administrator account

  1. Access the AWS Console through a fully authorized IAM User account.
  2. Access the service Firewall Manager.

ec2-security-groups

  1. Click the Get Started button.
  2. Enter the ID of the AWS account you want to link.

ec2-security-groups

  1. Click the Set administrator account button.
  2. Once the configuration is successful, you will receive the corresponding message as follows.

ec2-security-groups

Enable AWS Config Service

In the previous section, we enabled the AWS Config service from the AWS Console. However, we can quickly activate it through the initialization of a CloudFormation Stacksets.

Ingredients Value (Required)
Stack Name enable-aws-config
Template URL EnableAWSConfig.yml

Enable resource sharing

To be able to manage Network Firewall policies across AWS accounts, you need to enable resource sharing with AWS Organization through the AWS Resource Access Manager service.

  1. Access the service Resource Access Manager.
  2. In the left-hand navigation bar, select Settings.

ec2-security-groups

  1. Click Enable sharing with AWS Organizations.

ec2-security-groups

  1. Select the Save Settings button.

ec2-security-groups

Also, we can use AWS CLI to progress activation action.

aws ram enable-sharing-with-aws-organization

Learn more about Enable Sharing with AWS Organizations