Step 4: (Optional) Launch the Shield Advanced Automations Prerequisite stack - Automations for AWS Firewall Manager

Step 4: (Optional) Launch the Shield Advanced Automations Prerequisite stack

Important

Before launching the Shield Advanced Automations Prerequisite stack as a service-managed StackSet, you must first enable trusted access with AWS Organizations. For more information, refer to Activate trusted access for stack sets with Organizations in the AWS CloudFormation User Guide.

Follow the step-by-step instructions in this section to configure and deploy the Shield Advanced Automations Prerequisite template into your account. This template is deployed as a service-managed StackSet to member accounts in your AWS Organization.

Time to deploy: Approximately five minutes

  1. Sign in to the AWS Management Console and select the button to launch the aws-fms-shield-automations-prereq.template CloudFormation template. Since this template is deployed as a service-managed StackSet, you must sign in using the Organization’s management account or a delegated administrator account in your AWS Organization.

    Launch button

  2. On the Choose a template page, verify that the correct template URL is in the Amazon S3 URL text box. Choose Next.

  3. On the Specify StackSet details page, assign a name to your solution StackSet. For information about naming character limitations, see IAM and AWS STS quotas in the AWS Identity and Access Management User Guide.

  4. Select Next.

  5. On the Configure StackSet options page, choose your preferred execution configuration, then choose Next.

  6. On the Set deployment options page under Add stacks to stack set, choose Deploy new stacks.

  7. Under Deployment targets, choose where you would like to deploy the StackSet. We recommend choosing Deploy to organization if you want to enable Shield Advanced health-based detection across your AWS Organization.

  8. Under Auto-deployment options, choose how you would like to handle automatic deployments. We recommend choosing Activated for Automatic Deployment and Delete stacks for Account removal behavior.

  9. Under Specify regions, choose the Region where you would like to deploy the StackSet. You must deploy in the same Region where you plan to deploy the Shield Advanced Automations stack. We recommend deploying in a single Region to start.

  10. Under Deployment options, choose your preferred deployment concurrency. We recommend keeping the default settings, which restrict deployment to a single concurrent account with strict failure tolerance.

  11. Select Next.

  12. On the Review page, review and confirm the settings. Select the boxes acknowledging that the template creates IAM resources.

  13. Choose Create stack to deploy the stack.

You can view the status of the StackSet in the AWS CloudFormation console on the StackSets page. You should receive a CREATE_COMPLETE status in approximately five minutes, depending on how many accounts the StackSet is deployed to.

Note

In addition to the primary Lambda functions, this solution includes the solution-helper Lambda function, which runs only during initial configuration or when resources are updated or deleted.

When you run this solution, you will notice both Lambda functions in the AWS Management Console. Only the primary functions are regularly active. However, you must not delete the solution-helper function, as it is necessary to manage associated resources.