AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Creating an AWS Firewall Manager Policy

When you create an AWS Firewall Manager policy, you specify which rule group to add to the policy.

To create a Firewall Manager policy (console)

  1. Sign in to the AWS Management Console using the Firewall Manager administrator account that you set up in the prerequisites, and then open the Firewall Manager console at


    For information about setting up a Firewall Manager administrator account, see Step 2: Set the AWS Firewall Manager Administrator Account.

  2. In the navigation pane, choose Security policies.

  3. Choose Create policy.

  4. If you already created the rule group that you want to add to the policy, choose Create an AWS Firewall Manager policy and add existing rule groups. If you want to create a new rule group, choose Create an AWS Firewall Manager policy and add a new rule group.

  5. If you are using an existing rule group, skip this step and go to the next step. If you are creating a rule group, follow the instructions in Creating a Rule Group. After you create the rule group, continue with the following steps.

  6. Type a policy name.

  7. For Region, choose an AWS Region.

  8. Select a rule group to add, and then choose Add rule group.

  9. A policy has two possible actions: Action set by rule group and Count. If you want to test the policy and rule group, set the action to Count. This action overrides any block action specified by the rule group contained in the policy. That is, if the policy's action is set to Count, those requests are only counted and not blocked. Conversely, if you set the policy's action to Action set by rule group, actions of the rule group in the policy are used. Choose the appropriate action.

  10. Choose Next.

  11. If you want to include only specific accounts in the policy, or alternatively exclude specific accounts from the policy, select Select accounts to include/exclude from this policy (optional). Choose either Include only these accounts in this policy or Exclude these accounts from this policy. You can choose only one option. Choose Add. Select the account numbers to include or exclude and choose OK.


    If you don't select this option, Firewall Manager applies a policy to all accounts in your organization in AWS Organizations. If you add a new account to the organization, Firewall Manager automatically applies the policy to that account.

  12. Choose the type of resource that you want to protect.

    You can select only one type of resource per policy.

  13. If you want to protect only resources with specific tags, or alternatively exclude resources with specific tags, select Use tags to include/exclude resources, type the tags and then choose either Include or Exclude. You can choose only one option.

    If you enter more than one tag (separated by commas), if a resource has any of those tags, it is considered a match.

    For more information about tags, see Working with Tag Editor .

  14. If you want to automatically apply the policy to existing resources, choose Create and apply this policy to existing and new resources.

    This option creates a web ACL in each applicable account within an organization in AWS Organizations and associates the web ACL with the resources in the accounts. This option also applies the policy to all new resources that match the preceding criteria (resource type and tags). Alternatively, if you choose Create policy but do not apply the policy to existing or new resources, Firewall Manager creates a web ACL in each applicable account within the organization, but doesn't apply the web ACL to any resources. You must apply the policy to resources later. Choose the appropriate option.

  15. Choose Next.

  16. Review the new policy. To make any changes, choose Edit. When you are satisfied with the policy, choose Create and apply policy.