Amazon Firewall Manager Documentation

Amazon Firewall Manager is a security management service that enables you to centrally configure and manage firewall rules across your accounts and applications in Amazon Organizations. Firewall Manager is designed to help you bring new applications and resources into compliance by enforcing a common set of security rules. Firewall Manager can be used to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your accounts, from a central administrator account.

You can use Amazon Firewall Manager to roll out Amazon WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. You can use Amazon Firewall Manager to create Amazon Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. You can also configure new Amazon Virtual Private Cloud (VPC) security groups and audit existing VPC security groups for your Amazon EC2, Application Load Balancer (ALB) and ENI resource types. You can deploy Amazon Network Firewalls across accounts and VPCs in your organization. You can also use Amazon Firewall Manager to associate your VPCs with Amazon Route 53 Resolver DNS Firewall rules.

Using Firewall Manager, you can deploy firewall rules for Amazon Network Firewall to control traffic leaving and entering your network across accounts and Amazon VPCs, from a single place. Changes to the centrally configured set of rules are deployed to your accounts and VPCs. Firewall Manager also reports non-compliant issues, including VPCs and accounts that are missing Network Firewall protections.

You can enforce policies on Amazon Web Services resources that currently exist or that are created in the future. Amazon Firewall Manager gives customers the ability to apply Amazon WAF rules, as well as Managed Rules for Amazon WAF, on Application Load Balancers, API Gateways and Amazon CloudFront accounts. You can apply Amazon Shield Advanced protections on Application or Classic Load Balancers, Elastic IP addresses or CloudFront distributions. Similarly, you can use Amazon Firewall Manager to create a common primary security group across your EC2 instances in your VPC. With Firewall Manager, you can deploy Network Firewall endpoints and associated rules for your VPCs. Firewall Manager also lets you associate your VPCs with Route 53 Resolver DNS Firewall rules. You can choose to enforce the rule on a newly created resource by default, or you can choose to be notified when the new resource is created.

Within Amazon Firewall Manager, you are able to group resources by Account, by Resource Type, and by Tag. You can create policies for all resources within a particular group or across accounts in the organization.

Amazon Firewall Manager is integrated with Amazon Organizations and will fetch the list of accounts in your Amazon Organization to enable you to group resources across accounts. You can build protection policies, which define a group of resources and associate the group with your policy. You can also specify the scope of the policy to cover a specific set of Amazon Web Services accounts or all of your Organizations’ accounts. Firewall Manager will deploy the protections only on the resources in the accounts based on the scope of the policy.

Amazon Firewall Manager enables you to apply protection policies in a hierarchical manner, so you can delegate the creation of application-specific rules while retaining the ability to enforce certain rules centrally. Centrally applied rules are monitored for accidental removal or mishandling.  

Amazon Firewall Manager provides a visual dashboard where you can view which Amazon Web Services resources are protected, identify non-compliant resources, and take appropriate action. You can also get notified when there are changes to your configurations through SNS notification streams. 

With Amazon Firewall Manager, you can create policies to set guardrails that define what security groups are allowed/disallowed across your VPCs. Amazon Firewall Manager monitors security groups to detect overly permissive rules and helps improve firewall posture. You can get notifications of accounts and resources that are non-compliant or allow Amazon Firewall Manager to take action directly through auto-remediation.  

Amazon Firewall Manager enables you to centrally deploy and monitor Amazon Web Services Marketplace subscribed third-party cloud firewalls across all virtual private clouds (VPCs) in your organization. The service is a single firewall management solution to deploy and manage both Amazon Web Services native firewalls and Amazon Web Services Marketplace subscribed third-party firewalls. You can automate cross-account deployment of firewalls, association of rules, and configuration of VPC routes, even as new accounts and VPCs are created in your organization.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.