General

Q: What is Amazon Firewall Manager?

Amazon Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in Amazon Organizations. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure.

Q: What are the key benefits of Amazon Firewall Manager ?

Amazon Firewall Manager is integrated with Amazon Organizations so you can enable Amazon WAF rules across multiple Amazon accounts and resources from a single place. Firewall Manager monitors for new resources or accounts created to ensure they comply with a mandatory set of security policies from day one. You can group rules, build policies, and centrally apply those policies across your entire infrastructure. For example, you can delegate the creation of application-specific rules within an account while retaining the ability to enforce global security policies across accounts. Your security team can be notified of threats to the organization so they can respond and rapidly mitigate an attack.

Q: Which Amazon resource types can Amazon Firewall Manager configure Amazon WAF rules on?

You can roll out Amazon WAF rules across Application Load Balancers and API Gateways.

Q: How much does Amazon Firewall Manager cost?

Amazon Firewall Manager pricing is available here

Enabling Amazon Firewall Manager

Q: What are the prerequisites for Amazon Firewall Manager?

There are three mandatory pre-requisites and one optional pre-requisite to use Amazon Firewall Manager.

  • Amazon Organizations - Your accounts must be part of Amazon Organizations and have enabled all features. See Amazon Organizations documentation for more details.
  • Set the Amazon Firewall Manager administrator account - Firewall Manager must be associated with the management account of your Amazon Organization or associated with a member account that has the appropriate permissions. The account that you associate with Firewall Manager is called the Firewall Manager administrator account. See the documentation guide for more information.
  • Enable Amazon Config on accounts - Enable Amazon Config for each member account in your organization. See Amazon Config documentation.

Q: How do I use Amazon Firewall Manager?

  • First, complete the prerequisites mentioned above.
  • Second, create a security policy type for Amazon WAF
  • Third, specify the rule groups (custom or managed) that you want to deploy across accounts, in the order of priority for evaluation.
  • Fourth, specify the scope of the policy by choosing the accounts, resource type and, optionally, resource tags, where you want the firewall rules to be deployed.
  • Finally, you can review and create the policy. Firewall Manager will automatically apply the rules to all resources across accounts. Once complete, Firewall Manager also shows a compliance dashboard indicating any accounts/resources that are non-compliant and those that are compliant.

Q: Can I create a Firewall Manager policy but not remediate automatically?

Yes, you can configure a Firewall Manager policy in two modes –

  • Automatic remediation, which allows you to automatically monitor for drift in policy and apply rules on non-compliant resources
  • Manual remediation, which creates a new policy and the associated rules/protections in each account but does not enforce the rules on the resources in the account. After the policy is created with manual remediation, you can choose to take manual action for each local account, or at any point you can edit the policy to automatically remediate.

Q: How many accounts can Amazon Firewall Manager manage?

Each Firewall Manager policy can be scoped to have at most 2,500 accounts, which is the default limit for number of accounts in Amazon Organizations.

Q: How many resources can Amazon Firewall Manager manage?

There is not a limit on the number of resources managed by Firewall Manager at this time.

Q: Can I create protection policies across regions?

No, Amazon Firewall Manager protection policies are region specific. Each Firewall Manager policy can only include resources available in that specified Amazon Web Services Region. You can create a new policy for each region where you operate.

Q: Can I exclude accounts or resources from the scope of the policy?

Yes. You can exclude accounts. You can also use tags to specify the resources that should be excluded from the policy scope. 

Dashboard and Visibility

Q: How can I view the compliance status to a particular policy?

With Firewall Manager you can quickly view the compliance status for each policy by looking at how many accounts are included in the scope of the policy and how many out of those are compliant. Further, for each policy configured on Firewall Manager, you get a compliance dashboard. The central compliance dashboard allows you to view which accounts are non-compliant to a given policy, which specific resources are non-compliant, and also provides information about the reason why a particular resource is not compliant. You can also view non-compliant events for each account on Amazon Security Hub.

Q: Does Amazon Firewall Manager provide notifications when a resource is non-compliant?

Yes, you can create new SNS notification channels to receive real-time notifications when new non-compliant resources are discovered. Similarly, each account scoped as part of a Firewall Manager policy is notified for non-compliant events on Amazon Security Hub.

Q: How can I view all threats across my organization?

For each Firewall Manager policy created, you can aggregate Amazon CloudWatch metrics for each Rule in the Rule Group, indicating how many requests were allowed or blocked across the entire organization. This gives you a central place to set up alerts for threats across your organization.