Centrally configure, manage, and audit firewall rules with AWS Firewall Manager Automations for AWS Organizations - AWS Firewall Manager Automations for AWS Organizations

Centrally configure, manage, and audit firewall rules with AWS Firewall Manager Automations for AWS Organizations

Publication date: September 2020 (last update: August 2021)

The AWS Firewall Manager Automations for AWS Organizations solution helps you centrally configure, manage, and audit firewall rules across your accounts and applications in AWS Organizations. This solution uses AWS Firewall Manager to automatically deploy a set of managed rules for AWS Web Application Firewall (AWS AWS WAF) , and audit checks for VPC security groups and DNS Firewall rules across your AWS accounts from a single place. This solution also provides AWS Shield Advanced customers with the option to deploy Distributed Denial of Service (DDoS) protection across accounts.

The process for defining policies and configuring rule sets in AWS Firewall Manager can be challenging and time consuming. To help simplify this process, this solution deploys a set of AWS managed firewall rules for you. Managed firewall rules provide a set of preconfigured rules to protect web applications running on Amazon CloudFront, Application Load Balancer, and Amazon API Gateway. Security group audit checks continuously monitor and detect overly permissive security group rules to protect your Amazon VPC resources and improve your firewall posture.

This solution automates the onboarding process for Firewall Manager and sets up baseline rules and audit checks for AWS Organizations by allowing you to restrict policies for specific organizational units (OUs), Regions, or tagged resources within their AWS Organizations account. When you modify the installed AWS Systems Manager Parameter Store parameters, this solution updates and deploys the policies to the specified resources.

This solution also includes an AWS CloudFormation supplemental template. When this template is deployed in an AWS Organizations management account, the solution automates the configuration of prerequisites, such as checking that Organizations Full Feature is activated and designating an account as the admin account for Firewall Manager. Optionally, this template can also automate the configuration of prerequisites, such as enabling AWS Config across the organization.

This implementation guide describes architectural considerations and configuration steps for deploying AWS Firewall Manager Automations for AWS Organizations in the Amazon Web Services (AWS) Cloud. It includes links to an AWS CloudFormation template that launches and configures the AWS services required to deploy this solution using AWS best practices for security and availability.

This guide is intended for IT administrators and DevOps professionals who have practical experience architecting in the AWS Cloud.