Set up the Systems Manager parameters - Automations for AWS Firewall Manager
Create policies across OUs and RegionsDelete tags from policiesDelete Regional policiesDelete policies

Set up the Systems Manager parameters

This solution uses three Systems Manager parameters to initiate creating, updating, and deleting Firewall Manager policies. Review the following scenarios for guidance to set up the following Systems Manager tasks:

  • Create policies across two OUs and five AWS Regions

  • Delete tags from policies

  • Delete Regional policies

  • Delete all policies

Each of the parameters is a StringList type. Use commas to separate each string.

Create policies across OUs and Regions

Use the following steps to create policies across two OUs and five AWS Regions with the scope of policies restricted to a certain tag value.

Note

For this example, we use the following values to represent variables:

  • OUs: ou-xxxx-y1y1y1y1,ou-yyyy-x2x2x2x2

  • Regions: us-east-1,us-east-2,us-west-1,us-west-2,eu-west-1

  • Tag: {"ResourceTags":[{"Key":"Environment","Value":"Prod"}],"ExcludeResourceTags":false}

  1. Sign in to the AWS Systems Manager console.

  2. On the navigation menu, under Application Management, select Parameter Store.

  3. Update the /FMS/OUs parameter:

    1. Select the /FMS/OUs parameter and choose Edit.

    2. Update the parameter with the OU values. For this example, we use: ou-xxxx-y1y1y1y1,ou-yyyy-x2x2x2x2.

    3. This action creates the Global AWS WAF and AWS Shield Advanced policies.

  4. Update the /FMS/Regions parameter:

    1. Select the /FMS/Regions parameter and choose Edit.

    2. Update the /FMS/Regions parameter with the chosen Regions. For this example, we use: us-east-1,us-east-2,us-west-1,us-west-2,eu-west-1.

    3. This action creates the Regional policies (one AWS WAF, one AWS Shield, and two Security Groups).

  5. Update the /FMS/Tags parameter:

    1. Select the /FMS/Tags parameter and choose Edit.

    2. Update the /FMS/Tags parameter with the tag value. For this example, we use: {"ResourceTags":[{"Key":"Environment","Value":"Prod"}],"ExcludeResourceTags":false}.

    3. This action updates all policies with the provided tag value.

The solution creates Firewall Manager after you complete these steps. Two global policies and four Regional policies should be in each of the selected Regions. In this scenario, 22 total policies are created, using the following formula:

(4 Regional policies × 5 Regions) + 2 global policies

Delete tags from policies

To delete tags from the policies, complete the following steps:

  1. Sign in to the AWS Systems Manager console.

  2. On the navigation menu, under Application Management, select Parameter Store.

  3. Select the /FMS/Tags parameter and choose Edit.

  4. Update the /FMS/Tags parameter using the following value: delete

This action updates all policies and removes the applied tags.

Delete Regional policies

To delete all Regional policies, complete the following steps:

  1. Sign in to the AWS Systems Manager console.

  2. On the navigation menu, under Application Management, select Parameter Store.

  3. Select the /FMS/Regions parameter and choose Edit.

  4. Update the /FMS/Regions parameter using the following value: delete

This action deletes all Regional policies.

Delete policies

To delete all policies, complete the following steps:

  1. Sign in to the AWS Systems Manager console.

  2. On the navigation menu, under Application Management, select Parameter Store.

  3. Select the /FMS/OUs parameter and choose Edit.

  4. Update the /FMS/OUs parameter using the following value: delete

Note

The policy metadata is stored in the DynamoDB table. Don’t delete this table while you’re using the solution.