Automated deployment - Automations for AWS Firewall Manager

Automated deployment

Before you launch this solution, review the architecture, configuration, security, and other considerations discussed in this guide to figure out which installation method best suits your needs. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately three minutes

Prerequisite

If you do not have AWS Firewall Manager configured in your AWS Organizations management account, then you must deploy the solution’s prerequisite template first. This template must be deployed in the Organizations management account with the Organizations Full Features option activated prior to deploying the template.

If Firewall Manager is already configured in your AWS Organizations management account, then you can skip the prerequisite template installation and proceed to the Deployment overview to install the aws-fms-automations template in your designated Firewall Manager administrator account.

Note

When installing the prerequisite template, you have the option to designate a separate account in your organization as the Firewall Manager administrator account. If you select this option, you must manually install the aws-fms-automations template in the designated account after installing the prerequisite template in your AWS Organizations managment account.

For more information, refer to Install the prerequisite template.

Deployment overview

Use the following steps to deploy this solution on AWS. For detailed instructions, follow the links for each step.

Step 1. Launch the stack

Step 2. Add and manage FMS policies

Step 1. Launch the stack

This automated AWS CloudFormation template deploys Automations for AWS Firewall Manager in the AWS Cloud. You must have AWS Firewall Manager and AWS Organizations set up in your account before launching the stack (refer to Prerequisites for guidance to set up these services).

  1. Sign in to the AWS Management Console and use the button to the right to launch the aws-fms-automations AWS CloudFormation template.

    
              AWS Firewall Manager Automations for AWS Organizations solution launch button

    Alternatively, you can download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack, provide a value for the Compliance Reporting parameter and choose Next.

    Parameter Default Description
    Compliance Reporting Yes Choose Yes or No based on your preference for generating compliance reports for your Firewall Manager security policies.
  5. On the Configure stack options page, choose Next.

  6. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  7. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately three minutes.

Step 2. Add and manage FMS policies

You can add AWS FMS policies across multiple OUs and Regions for your business needs. Using AWS Systems Manager parameters, you can manage Regions and OUs where the policies get created or deleted and you can manage the resources under scope using the Tag parameter. Use the following procedure to update each parameter:

  1. Sign in to the AWS Systems Manager console.

  2. On the left menu pane, under Application Management, select Parameter Store.

  3. Select the parameter to update and choose Edit.

  4. Update the value.

  5. Choose Save changes.

You can update these parameters at any time and as many times as needed to meet your use cases and preferences for setting up your OUs, Regions, and tags. These parameters have the following format:

  • /FMS/<PolicyID>/OUs: <StringList>

  • /FMS/<PolicyID>/Regions: <StringList>

  • /FMS/<PolicyID>/Tags: <String>

For examples on updating these parameters, refer to Scenarios for setting up the Systems Manager parameters.

Access the Systems Manager Parameter Store history

Take the following steps to identify the person that invoked a change to the parameters in the Systems Manager Parameter Store:

  1. Sign in to the AWS Systems Manager console.

  2. On the left menu pane, under Application Management, select Parameter Store.

  3. Select the parameter and choose View Details.

  4. Choose History.

Note

If you want to customize the default policies or want different policies being applied to different OUs and Regions, refer to Customize policies. This section describes how you can use aws-fms-policy.template to apply a different set of policies to different OUs/Regions.