Centrally deploy Amazon WAF rules across accounts and resources

Using Firewall Manager, your security administrator can deploy firewall rules for Amazon WAF to control incoming traffic to your Application Load Balancers and API Gateways across accounts, from a single place. Any changes to the centrally configured set of rules are automatically deployed to your accounts and resources. This enables security administrators to consistently enforce centrally mandated firewall rules across an organization, even as new accounts and resources are created in your organization. At the same time, Firewall Manager also reports non-compliant issues including any resources and accounts that are missing Amazon WAF protections. You can automatically enforce policies on resources that currently exist or are created in the future, thereby ensuring compliance with firewall rules across the organization. Amazon Firewall Manager gives customers the ability to apply Amazon WAF rules, such as Managed Rules for Amazon WAF, or your own custom defined rules.

Multi-account resource groups

Within Amazon Firewall Manager, you are able to group resources by Account, by Resource Type, and by Tag. Your security team can create policies for all resources within a particular group or across accounts in the organization.

Cross-account protection policies

Amazon Firewall Manager is integrated with Amazon Organizations and will automatically fetch the list of accounts in your organization to enable you to group resources across accounts. First, you build protection policies, which define a group of resources and associate the group with your policy. Then, you specify the scope of the policy to cover a specific set of accounts, or all of your organizations’ accounts. Firewall Manager will deploy the protections only on the resources in the accounts based on the scope of the policy.

Hierarchical rule enforcement

Amazon Firewall Manager allows you to apply protection policies in a hierarchical manner, so you can delegate the creation of application-specific rules while retaining the ability to enforce certain rules centrally. Centrally applied rules are constantly monitored for any accidental removal or mishandling, thereby ensuring they are applied consistently.  

Dashboard with compliance notifications

Amazon Firewall Manager provides a visual dashboard where you can quickly view which resources are protected, identify non-compliant resources, and take appropriate action. You can also get notified when there are changes to your configurations through SNS notification streams.