Prerequisites for the Shield Advanced Automations stack Prerequisites for the Proactive Event Response stack Service-managed StackSets

Prerequisites for Automations for AWS Firewall Manager

This section describes the prerequisites you must meet before launching each stack.

Important

To deploy the automations for Shield Advanced CloudFormation templates, you must already be subscribed to Shield Advanced. All accounts in your AWS Organization where you wish to enable health-based detection or proactive event response must also be subscribed to Shield Advanced, in addition to the account where the stacks are deployed.

If you don't have Firewall Manager conﬁgured in your AWS Organizations primary account, then you must deploy the solution's prerequisite template ﬁrst. Deploy this template in the AWS Organizations management account with the AWS Organizations all features option activated prior to deploying the template.

For more information, refer to Step 1: (Optional) Install the Prerequisite template.

Prerequisites for the Shield Advanced Automations stack

Before deploying the aws-fms-shield-automations CloudFormation template, you must first do the following:

Subscribe all accounts in your AWS Organization, to which you deploy the stack, to Shield Advanced.
Deploy the Shield Advanced Automations Prerequisite template (aws-fms-shield-automations-prereq.template). We recommend deploying this prerequisite template to all member accounts in your AWS Organization by using CloudFormation service-managed StackSets.
Enable AWS Config recording for AWS::Shield::Protection and AWS::ShieldRegional::Protection resource types in all accounts in your AWS Organization where you want to enable Shield Advanced health-based detection.

Prerequisites for the Proactive Event Response stack

Before deploying the aws-fms-proactive-event-response CloudFormation template, you must first do the following:

Subscribe all accounts in your AWS Organization, to which you deploy the stack, to the following:
1. Either the Business Support plan or the Enterprise Support plan
2. Shield Advanced
Associate a Route 53 health check with any resource that you want to protect with proactive engagement. For more information on configuring proactive event response, refer to Setting up proactive engagement for the SRT to contact you directly in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

You don’t need to deploy a prerequisite template prior to deploying the aws-fms-proactive-event-response template.

Service-managed StackSets

Before deploying stacks using service-managed StackSets, you must first do the following:

Enable all features in AWS Organizations
Activate trusted access with AWS Organizations

These actions can only be performed by an account administrator in your organization’s management account. For more information, refer to Activate trusted access for stack sets with Organizations in the AWS CloudFormation User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudFormation templates

Step 1: (Optional) Launch the Prerequisite template