Install the prerequisite template - Automations for AWS Firewall Manager

Install the prerequisite template

Prerequisites (optional)

Installing the Firewall Manager prerequisite template in an AWS Organizations management account with the default parameters builds the following environment in the AWS Cloud.

Architecture: Prerequisites
Figure 12: Architecture: Turn on prerequisites

When the template is deployed in an AWS Organizations management account, an AWS Lambda function checks for the following prerequisites:

  1. The AWS Organizations All Features is activated.

  2. The AWS Firewall Manager admin is configured.

  3. Optional: AWS Config is activated.


This check is done when you activate AWS Config (set to Yes) during deployment of the prerequisite template.

The Lambda function installs the prerequisites. If there are errors during prerequisite installation, a stack rollback occurs with an error message.

To view the prerequisites for using AWS Firewall Manager, refer to Prerequisite.

aws-fms-prereq.template: Use this template to launch the solution prerequisite template. The default configuration deploys AWS Lambda functions, AWS CloudFormation StackSets, and AWS Config resources.

Step 1. Launch the prerequisite stack

This automated AWS CloudFormation template deploys the Firewall Manager prerequisite template in the AWS Cloud.


You are responsible for the cost of the AWS services used while running this solution. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console and use the button to the right to launch the aws-fms-prereq AWS CloudFormation template.

              AWS Firewall Manager Automations for AWS Organizations Prerequisite launch button

    Alternatively, you can download the template as a starting point for your own implementation.

  2. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  3. On the Specify stack details page, assign a name to your solution stack.

  4. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    FMS Admin Account ID <Requires input> Add your AWS Firewall Manager service admin account ID, if you have already configured your FMS admin account. Otherwise, specify an Organizations member account ID that you want as designated Firewall Manager admin account.
    Enable Config Yes Activate AWS Config across the organization for the resources required by Firewall Manager. If you already have Config activated, select No.
  5. Choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.

Step 2. Manually activate AWS Firewall Manager (Optional)

Use the following procedure to manually activate AWS Firewall Manager in AWS Organizations.

  1. Activate AWS Organizations Full Feature.

  2. Activate AWS Config on all Organizations member accounts.

  3. Designate a member account as Firewall Manager Admin.

For additional information to enable Firewall Manager, refer to AWS Firewall Manager prerequisites in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.