Centrally configure, manage, and audit firewall rules with Automations for AWS Firewall Manager

Publication date: September 2020 (last update: October 2024)

The Automations for AWS Firewall Manager solution helps you centrally configure, manage, and audit firewall rules across your accounts and applications in AWS Organizations. This solution uses AWS Firewall Manager to automatically define and deploy a set of managed rules for AWS WAF and audit checks for Amazon Virtual Private Cloud (Amazon VPC) security groups across your AWS accounts from a single place. If you use AWS Shield Advanced, this solution optionally provides you with one-click automations to set up and configure application layer distributed denial of service (DDoS) protection, proactive event response, and health-based detection.

The process for defining policies and configuring rule sets in Firewall Manager can be challenging and time consuming. To help simplify this process, this solution deploys a set of AWS managed firewall rules and security group audit checks for you. Managed firewall rules provide a set of preconfigured rules to protect web applications running on Amazon CloudFront, Application Load Balancer, and Amazon API Gateway. Security group audit checks continuously monitor and detect overly permissive security group rules to protect your Amazon VPC resources and improve your firewall posture. You can also customize the default Firewall Manager rules deployed by the solution to fit your needs, as described in the Customization guide.

This implementation guide provides an overview of the Automations for AWS Firewall Manager solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the Amazon Web Services (AWS) Cloud.

The intended audience for using this solution's features and capabilities in their environment includes solution architects, business decision makers, DevOps engineers, data scientists, and cloud professionals.

Use this navigation table to quickly find answers to these questions:

If you want to . . .	Read . . .
Know the cost for running this solution. The cost to run the solution in the US East (N. Virginia) Region, excluding automations for Shield Advanced, is approximately: $1,733.00 per month for a small organization $18,951.00 per month for a large organization The cost to run the solution in the US East (N. Virginia) Region, including deployment of the automations for Shield Advanced, is approximately: $938.82 per month for a small organization $3,352.76 per month for a large organization Note Costs are lower when including the automations for Shield Advanced because your Shield Advanced subscription includes many of the features of this solution, such as AWS WAF policies.	Cost
Understand the security considerations for this solution. This solution uses Parameter Store, a capability of AWS Systems Manager, to initiate create, read, update, and delete (CRUD) operations to the Firewall Manager policies.	Security
Know how to plan for quotas for this solution.	Quotas
Know which AWS Regions support this solution.	Supported AWS Regions
View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution.	AWS CloudFormation template
Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution.	GitHub repository