AWS Firewall Manager (FMS) - Overview.
Scope:
- The Concept of AWS Firewall Manager,
- Core Architecture & Flow (A fits into AWS Security Ecosystem),
- Table of Key Components in Architecture & Description,
- Table for Supported Services/Layers, Policy Types & Description,
- How aws firewall manager Works (Step-by-Step),
- Sample Use Cases,
- Table for Integration Services & Roles,
- Best Practices.
The Concept of AWS
Firewall Manager
- AWS
Firewall Manager (FMS) is a Centralized Security Management Service.
- AWS Firewall Manager (FMS) lets twtech:
- Define and enforce security policies for:
- AWS WAF,
- AWS Shield Advanced,
- VPC security groups,
- Route 53 Resolver DNS Firewall,
- AWS Network Firewall
- Automatically apply those policies across all accounts and resources in twtech AWS Organization (via AWS Organizations).
- Maintains consistent protection for new and
existing resources without
manual setup in every account.
Core Architecture & Flow (A fits into AWS Security Ecosystem):
|
Component |
Description |
|
Admin Account |
The central account (designated via AWS Organizations)
that defines and manages policies. |
|
Member Accounts |
Other accounts in the org where
FMS applies and enforces policies. |
|
Policies |
Define rules and targets for
specific AWS services (e.g., WAF Web
ACLs or Shield protections). |
|
Compliance Reports |
Show which resources are
protected, missing policies, or are non-compliant. |
Table for Supported Services/Layers, Policy Types & Description
|
Service / Layer |
Firewall Manager Policy Type |
Description |
|
AWS WAF |
Web ACL Policy |
Applies WAF Web ACLs to
CloudFront, ALBs, or API Gateways. |
|
AWS Shield Advanced |
Shield Policy |
Enrolls resources into Shield
Advanced protection automatically. |
|
Security Groups |
Security Group Policy |
Manages common rules or audits
unused/permissive SGs. |
|
AWS Network Firewall |
Network Firewall Policy |
Deploys centralized firewall rules
in VPCs. |
|
Route 53 Resolver
DNS Firewall |
DNS Firewall Policy |
Enforces DNS filtering rules
organization-wide. |
|
Third-party
Firewalls (via
Marketplace) |
Custom Policy |
Integrate vendor-managed security
controls. |
How aws firewall manager Works (Step-by-Step)
- Enable AWS Organizations
- Create or use an existing AWS Organization.
- Designate the management account.
- Enable Firewall Manager
- Choose an admin account for Firewall Manager.
- Define a Policy
- Choose policy type (e.g., WAF, Shield, SG, NF, etc.).
- Define rules and scope (resource type, tags, regions).
- Automatic Enforcement
- FMS identifies all matching resources across member
accounts.
- It automatically applies and maintains policies.
- New resources matching the scope are automatically
protected.
- Compliance Monitoring
- FMS dashboards and reports show compliant vs.
non-compliant resources.
- Integrates with AWS Security Hub for centralized visibility.
Sample Use Cases
|
Scenario |
How FMS Helps |
|
Consistent WAF
protection |
Apply a single WAF Web ACL to all
CloudFront distributions. |
|
DDoS protection for
all apps |
Automatically enroll new ALBs into
Shield Advanced. |
|
Restrict open
Security Groups |
Detect and optionally remediate
overly permissive SGs (e.g.,
0.0.0.0/0:22). |
|
Centralized VPC
Firewalling |
Apply AWS Network Firewall
policies to all new VPCs. |
|
DNS threat filtering |
Apply Route 53 DNS Firewall
rulesets org-wide. |
Table for Integration Services & Roles
|
Service |
Integration Role |
|
AWS Organizations |
Enables
multi-account enforcement |
|
AWS Config |
Tracks
compliance state |
|
AWS Security Hub |
Aggregates
findings |
|
CloudWatch &
EventBridge |
Sends
compliance alerts |
|
AWS Shield Advanced |
Manages
DDoS coverage |
|
AWS WAF / Network
Firewall |
Enforces
rule sets |
Best Practices
- Use AWS Organizations with SCPs → Ensure accounts cannot disable
FMS or change policies locally.
- Tag resources consistently → FMS uses tags to determine
which resources a policy applies to.
- Integrate with Security Hub → Centralize compliance
visibility across all AWS services.
- Enable Shield Advanced via FMS → Automatically cover all
critical workloads.
- Test policies in one OU first → Then expand gradually across
OUs for safe rollout.
No comments:
Post a Comment