What are the prerequisites for AWS Firewall Manager?
There are three mandatory pre-requisites and one optional pre-requisite to use AWS Firewall Manager.
AWS Organizations - Your accounts must be part of AWS Organizations and have enabled all features.
Set the AWS Firewall Manager Administrator Account - Firewall Manager must be associated with the management account of your AWS organization or associated with a member account that has the appropriate permissions. The account that you associate with Firewall Manager is called the Firewall Manager administrator account
Enable AWS Config on accounts - Enable AWS Config for each member account in your organization.
Enable AWS Resource Access Manager (Optional) - To enable Firewall Manager to centrally configure AWS Network Firewalls or associate Amazon Route 53 Resolver DNS Firewall rules across accounts and VPCs, you must first enable sharing of resources using AWS Resource Access Manager.
How do I use AWS Firewall Manager?
First, complete the prerequisites mentioned above.
Second, create a policy type for AWS WAF, AWS Shield Advanced, VPC security group, AWS Network Firewall, or Amazon Route 53 Resolver DNS Firewall.
Third, depending on the policy, specify the set of rules or protections. For example, for a policy for AWS WAF specify the rule groups (custom or managed) that you want to deploy across accounts. Similarly, for a VPC security group policy, reference the security group you want replicated in each resource within accounts. For AWS Network Firewall, specify the rule groups (stateful and stateless) that you want to deploy across VPCs in your accounts. For Amazon Route 53 Resolver DNS Firewall, specify the set of rules (rule groups) you want to associate with your VPCs in your accounts.
Fourth, specify the scope of the policy by choosing the accounts, resource type and, optionally, resource tags, where you want the policy to be deployed.
Finally, you can review and create the policy. Firewall Manager will automatically apply the rules and protections to all resources across accounts. Once complete, Firewall Manager also shows a compliance dashboard indicating any accounts/resources that are non-compliant and those that are compliant.
: Can I create a Firewall Manager policy but not remediate automatically?
Yes, you can configure a Firewall Manager policy in two modes –
Automatic remediation, which allows you to automatically monitor for drift in policy and apply rules on non-compliant resources
Manual remediation, which creates a new policy and the associated rules/protections in each account but does not enforce the rules on the resources in the account. After the policy is created with manual remediation, you can choose to take manual action for each local account, or at any point you can edit the policy to automatically remediate.
How many accounts can AWS Firewall Manager manage?
Each Firewall Manager policy can be scoped to have at most 2,500 accounts, which is the default limit for number of accounts in AWS Organizations.
How many resources can AWS Firewall Manager manage?
There is not a limit on the number of resources managed by Firewall Manager at this time.
Can I create security policies across regions?
No, AWS Firewall Manager security policies are region specific. Each Firewall Manager policy can only include resources available in that specified AWS Region. You can create a new policy for each region where you operate.
: Can I exclude accounts or resources from the scope of the policy?
Yes. You can exclude accounts. You can also use tags to specify the resources that should be excluded from the policy scope.
What is a Firewall Manager security policy?
Firewall Manager security policy is a set of configurations that allow customers to specify the accounts and resources that need to be associated a set of firewall rules, with additional configurations customized for each firewall type. Firewall Manager today supports AWS WAF, AWS Shield Advanced, VPC security groups, AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall and AWS Marketplace third-party firewalls.
Does AWS Firewall Manager provide notifications when a resource is non-compliant?
Yes, you can create new SNS notification channels to receive real-time notifications when new non-compliant resources are discovered. Similarly, each account scoped as part of a Firewall Manager policy is notified for non-compliant events on AWS Security Hub.
How can I view all threats across my organization?
For each Firewall Manager policy created, you can aggregate CloudWatch metrics for each Rule in the Rule Group, indicating how many requests were allowed or blocked across the entire organization. This gives you a central place to set up alerts for threats across your organization.
No comments:
Post a Comment