Services or capabilities described in this page might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China Regions. Only “Region Availability” and “Feature Availability and Implementation Differences” sections for specific services (in each case exclusive of content referenced via hyperlink) in Getting Started with Amazon Web Services in China Regions form part of the Documentation under the agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China (Beijing) Region or Amazon Web Services China (Ningxia) Region (the “Agreement”). Any other content contained in the Getting Started pages does not form any part of the Agreement.
Amazon Firewall Manager Documentation
Amazon Firewall Manager is a security management service that enables you to centrally configure and manage firewall rules across your accounts and applications in Amazon Organizations. Firewall Manager is designed to help you bring new applications and resources into compliance by enforcing a common set of security rules. Firewall Manager can be used to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your accounts, from a central administrator account.
You can use Amazon Firewall Manager to roll out Amazon WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. You can use Amazon Firewall Manager to create Amazon Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. You can also configure new Amazon Virtual Private Cloud (VPC) security groups and audit existing VPC security groups for your Amazon EC2, Application Load Balancer (ALB) and ENI resource types. You can deploy Amazon Network Firewalls across accounts and VPCs in your organization. You can also use Amazon Firewall Manager to associate your VPCs with Amazon Route 53 Resolver DNS Firewall rules.
Centrally deploy Amazon Network Firewall across VPCs
Using Firewall Manager, you can deploy firewall rules for Amazon Network Firewall to control traffic leaving and entering your network across accounts and Amazon VPCs, from a single place. Changes to the centrally configured set of rules are deployed to your accounts and VPCs. Firewall Manager also reports non-compliant issues, including VPCs and accounts that are missing Network Firewall protections.
Deploy Amazon VPC security groups, Amazon WAF rules, Amazon Shield Advanced protections, Amazon Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules
You can enforce policies on Amazon Web Services resources that currently exist or that are created in the future. Amazon Firewall Manager gives customers the ability to apply Amazon WAF rules, as well as Managed Rules for Amazon WAF, on Application Load Balancers, API Gateways and Amazon CloudFront accounts. You can apply Amazon Shield Advanced protections on Application or Classic Load Balancers, Elastic IP addresses or CloudFront distributions. Similarly, you can use Amazon Firewall Manager to create a common primary security group across your EC2 instances in your VPC. With Firewall Manager, you can deploy Network Firewall endpoints and associated rules for your VPCs. Firewall Manager also lets you associate your VPCs with Route 53 Resolver DNS Firewall rules. You can choose to enforce the rule on a newly created resource by default, or you can choose to be notified when the new resource is created.
Multi-account resource groups
Within Amazon Firewall Manager, you are able to group resources by Account, by Resource Type, and by Tag. You can create policies for all resources within a particular group or across accounts in the organization.
Cross-account protection policies
Amazon Firewall Manager is integrated with Amazon Organizations and will fetch the list of accounts in your Amazon Organization to enable you to group resources across accounts. You can build protection policies, which define a group of resources and associate the group with your policy. You can also specify the scope of the policy to cover a specific set of Amazon Web Services accounts or all of your Organizations’ accounts. Firewall Manager will deploy the protections only on the resources in the accounts based on the scope of the policy.
Hierarchical rule enforcement
Amazon Firewall Manager enables you to apply protection policies in a hierarchical manner, so you can delegate the creation of application-specific rules while retaining the ability to enforce certain rules centrally. Centrally applied rules are monitored for accidental removal or mishandling.
Dashboard with compliance notifications
Amazon Firewall Manager provides a visual dashboard where you can view which Amazon Web Services resources are protected, identify non-compliant resources, and take appropriate action. You can also get notified when there are changes to your configurations through SNS notification streams.
Audit existing and future security groups in your VPCs
With Amazon Firewall Manager, you can create policies to set guardrails that define what security groups are allowed/disallowed across your VPCs. Amazon Firewall Manager monitors security groups to detect overly permissive rules and helps improve firewall posture. You can get notifications of accounts and resources that are non-compliant or allow Amazon Firewall Manager to take action directly through auto-remediation.
Amazon Web Services Marketplace third-party firewall support
Amazon Firewall Manager enables you to centrally deploy and monitor Amazon Web Services Marketplace subscribed third-party cloud firewalls across all virtual private clouds (VPCs) in your organization. The service is a single firewall management solution to deploy and manage both Amazon Web Services native firewalls and Amazon Web Services Marketplace subscribed third-party firewalls. You can automate cross-account deployment of firewalls, association of rules, and configuration of VPC routes, even as new accounts and VPCs are created in your organization.
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.