Customize policies - Automations for AWS Firewall Manager

Customize policies

This solution deploys AWS Firewall Manager security policies with default configurations. However, you can change policy settings or apply different policies to different OUs and Regions.

To change default Firewall Manager security policy configuration, follow the steps after installing the solution.

  1. After the solution deployment succeeds, sign in to the Amazon S3 console and choose <Stack-Name>-XX-policymanifestbucket-xx S3 bucket.

  2. Refer to the policy_manifest.json file in the bucket.

  3. Download the manifest file and make adjustments to the default settings in the policy manifest. For more information, refer to Policy manifest file. Upload the updated manifest file in the same location.

  4. Update the SSM Parameter Store parameters. After updating the SSM parameters (OU, Region, or Tag parameter), the FMS policies should also get updated to reflect the changes made in Step 3.

To apply different policy to different OUs/Regions, follow the steps:

  1. Use aws-fms-policy.template to launch additional resources needed to support different policies for different OUs/Regions. You can launch this template multiple times for as many policy configurations as needed.

    
            AWS Firewall Manager Automations for AWS Organizations view template button

  2. Provide following stack parameter values:

Parameter Default Description
Policy Identifier A unique identifier for the policies.
Policy Table DynamoDB table where policy metadata will be saved. This table is created as part of primary template deployment.
UUID

Unique identifier for stack deployment. The UUID is created as part of primary template deployment.

Note

This parameter can be left blank if you do not want to send an anonymous metric to the solution’s endpoint.

Metric Queue SQS queue to send anonymous metric to solution endpoint. The queue is created as part of primary template deployment.
Note

Policy Table, UUID, and Metric Queue are created as part of the primary stack deployment and their values can be reviewed by checking the output section of the deployed stack. Ensure that you provide the same value as given in the output section of the primary stack.

  1. Once the deployment succeeds, three more SSM Parameter Stores are added in the Systems Manager Parameter console, as well as one more <Stack-Name>-xx-policymanifestbucket-XX bucket in the Amazon S3 console.

  2. You can adjust these SSM Parameter Store values and the FMS policy would get created as per your SSM Parameter Store values. Also, the policy configuration is managed by the policy_manifest.json file from the manifest bucket. The policy_manifest can be updated at any time.

Deploying multiple policy staks for AWS Firewall Manager
Figure 3: Deploying multiple policy stacks for AWS Firewall Manager

You can create as many policy stacks for different policy configurations as needed and apply them to different OUs/Regions.

Example policy customization scenarios

For details on policy manifest schema, refer to Customize policies. The policy manifest can be configured in any number of ways and the following examples are some common scenarios.

Change policy auto-remediation behavior

All the policies have a default remediation behavior in the policy manifest file. This can be adjusted as true or false per requirement.

"remediationEnabled": false

Add AWS WAF Bot Control rule group

You can customize the WAF Global or WAF Regional policy in the manifest file, to add AWS managed WAF Bot Control rule group. You can update the preProcessRuleGroups or postProcessRuleGroups section in the WAF policy as follows:

"postProcessRuleGroups": [{ "ruleGroupArn": null, "overrideAction": { "type": "NONE" }, "managedRuleGroupIdentifier": { "version": null, "vendorName": "AWS", "managedRuleGroupName": "AWSManagedRulesBotControlRuleSet" }, "ruleGroupType": "ManagedRuleGroup", "excludeRules": [] }]

For more information about the AWS WAF Bot Control managed rule group, refer to AWS managed rule group lists in the AWS WAF Developer Guide.

Deploy specific policy types

You can also deploy a selection of FMS policy from the supported policies:

  • WAF_GLOBAL,

  • WAF_REGIONAL

  • SHIELD_GLOBAL

  • SHIELD_REGIONAL

  • SECURITY_GROUPS_USAGE_AUDIT

  • SECURITY_GROUPS_CONTENT_AUDIT

  • DNS_FIREWALL

Each FMS policy type has a JSON object defined in the manifest schema that controls the policy configuration. You can remove this JSON object from the manifest file if you do not need a specific policy.

If the policy has already been created by the solution, use the following steps to delete a specific policy type:

  1. Delete the deployed FMS policy type.

    1. Log in to the AWS Firewall Manager admin account.

    2. Identify the policy to be deleted.

    3. Select the policy and choose Delete.

    4. Chose Delete all policy resources in the pop-up window and choose Delete.

  2. Update the policy manifest file in the bucket. For more information, refer to Policy manifest file.

  3. Update SSM Parameter Store parameter. For more information, refer to Step 2. Add and manage FMS policies.