Centrally configure, manage, and audit firewall rules with Automations for AWS Firewall Manager

Publication date: September 2020 (last update: January 2024)

The Automations for AWS Firewall Manager solution helps you centrally configure, manage, and audit firewall rules across your accounts and applications in AWS Organizations. This solution uses AWS Firewall Manager to automatically deploy a set of managed rules for AWS WAF and audit checks for Amazon Virtual Private Cloud (Amazon VPC) security groups across your AWS accounts from a single place. This solution also provides AWS Shield Advanced customers with the option to deploy Distributed Denial of Service (DDoS) protection across accounts.

The process for defining policies and configuring rule sets in Firewall Manager can be challenging and time consuming. To help simplify this process, this solution deploys a set of AWS managed firewall rules and security group audit checks for you. Managed firewall rules provide a set of preconfigured rules to protect web applications running on Amazon CloudFront, Application Load Balancer, and Amazon API Gateway. Security group audit checks continuously monitor and detect overly permissive security group rules to protect your Amazon VPC resources and improve your firewall posture.

This solution automates the onboarding process for Firewall Manager and sets up baseline rules and audit checks for AWS Organizations by allowing you to restrict policies for specific organizational units (OUs), Regions, or tagged resources within your AWS Organizations account. When you modify the installed AWS Systems Manager Parameter Store parameters, this solution updates and deploys the policies to the specified resources.

You can deploy the supplemental AWS CloudFormation supplemental template included in this solution into an AWS Organizations management account to configure the prerequisites for this solution automatically. For example:

Checking that all features for AWS Organizations are activated.
Designating an account as the admin account for Firewall Manager.
Enabling AWS Config across an AWS Organization.

This implementation guide provides an overview of the Automations for AWS Firewall Manager solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the Amazon Web Services (AWS) Cloud.

The intended audience for using this solution's features and capabilities in their environment includes solution architects, business decision makers, DevOps engineers, data scientists, and cloud professionals.

Use this navigation table to quickly find answers to these questions:

If you want to . . .	Read . . .
Know the cost for running this solution. The estimated cost for running AWS resources for this solution in the US East (N. Virginia) Region is USD $1,733.00 per month for a small organization or $18,951.00 per month for a large organization.	Cost
Understand the security considerations for this solution. This solution uses Parameter Store to initiate create, read, update, and delete (CRUD) operations to the Firewall Manager policies.	Security
Know how to plan for quotas for this solution.	Quotas
Know which AWS Regions support this solution.	Supported AWS Regions
View or download the CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution.	AWS CloudFormation template

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture overview