Skip to content

Latest commit

 

History

History
44 lines (39 loc) · 2.76 KB

firewall-manager.md

File metadata and controls

44 lines (39 loc) · 2.76 KB

AWS Firewall Manager

  • It is a service that can be used to manage all the firewall rules in all accounts from an AWS Organization
  • We can set Security Policies, which are a common set of security rules, for example:
    • WAF rules
    • AWS Shield Advanced rules
    • Security Groups for EC2, ALB and resources that use ENIs in a VPC
    • AWS Network Firewall (VPC Level)
    • Amazon Route53 Resolver DNS Firewall
  • Rules are applied to new resources as they are created (good for compliance) across all and future accounts in our organization

WAF vs. Firewall Manager vs. Shield

  • WAF, Shield and Firewall Manager are used together for comprehensive protection
  • We define Web ACL rules in WAF
  • For granular protection of our resources WAF alone is the correct choice
  • If we want to use AWS WAF across multiple accounts, accelerate WAF configuration, automate the protection of new resources, we should use Firewall Manager with AWS WAF
  • Shield Advanced adds additional features on top of AWS WAF such as dedicated support from the Shield Response Team (SRT) and advanced reporting
  • If we are prone to frequent DDoS attacks, we should consider purchasing Shield Advanced

Security Policies

  • Policy Type: AWS WAF:
    • Enforce applying WebACLs to all ALBs in all accounts in an AWS Organization
    • We can have two options:
      • Identify resources that don't comply, but don't auto remediate: create the WebACL in each account without applying the WebACL to any resources
      • Auto remediate any noncompliant resource: automatically apply the WebACLs to existing resources
  • Policy Type: Shield Advanced:
    • Enforce Shield Advanced protection in all accounts in an AWS Organization
    • We can have the option to view only compliance (to assess impact) or to auto remediate
  • Security Group Policy Type: Common Security Groups:
    • Enforce applying SGs to all EC2 instances in all accounts in an AWS Organization
  • Security Group Policy Type: Auditing of Security Group Policy:
    • Check and manage SG Rules in all accounts in an AWS Organization
  • Security Group Policy Type: Usage Audit Security Group Policy:
    • Monitor unused and redundant SGs and optionally perform cleanup
  • Policy Type: Network Firewall:
    • Centrally manage Network Firewall firewalls in all accounts in an AWS Organization
    • Modes:
      • Distributed: creates and maintains a firewall endpoint in each VPC
      • Centralized: creates and maintains a firewall endpoint in a centralized VPC
    • Import existing firewalls: import firewalls using Resource Sets
  • Policy Type: Route 53 Resolver Firewall:
    • Manage associations between Resolver DNS Firewall Rule Groups and VPCs in all accounts in an AWS Organization