Historically, AWS accounts were logically separated from each other which was a limitation for multi-account customers because AWS resources were scoped to a single account. As customer needs evolved, such as requiring SSO and centralized management, AWS rolled out a new service to meet those needs - AWS Organizations. From the official AWS documentation:
“AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.”
AWS Organizations allows customers to create multiple AWS accounts while maintaining a central authority. It groups accounts into Organizational Units which can leverage Resource Access Manager to share resources and have Service Control Policies (SCPs) applied to them. For a primer on SCPs, check out our blog and our repo with plenty of production ready policies written in Terraform.
At first, Organizations created a new challenge when creating and maintaining rules to control ingress into each account. AWS Firewall Manager was created to solve this challenge and simplify managing rules in various network security services such as AWS WAF, AWS Shield, Security Groups, and AWS Network Firewalls. AWS Firewall Manager allows customers to manage all of these rules, across the organization, using a single, centralized account.
Getting Started
Since Firewall Manager was created to simplify managing multi-account firewall rules, it requires AWS Organizations to be set up. Once a Firewall Manager administration account has been designated, configure AWS Config to monitor at least the network security resources - WAF policies, Shield policies, Security Groups, Network Firewall policies, and DNS Firewall policies. Finally, enable resource sharing within the organization. The Firewall Manager administration account can now be used to manage network security rules across the entire AWS organization. This blog will outline how to use it to centrally manage AWS WAF and Security Group policies.
AWS WAF
AWS WAF is a managed web application firewall which can monitor HTTP/S requests to public AWS endpoints.
WAF rules are attached to these endpoints which can block/allow requests based on specific conditions or known attacks, such as SQL injection. Firewall Manager can greatly reduce the burden of managing various WAF rules for different services. Instead of attaching WAF rules per resource, Firewall Manager policies can be created to automatically attach WAF rules to specific resources based on various conditions.
Source: Amazon AWS
Creating a Firewall Manager policy for AWS WAF is very similar to making a WAF rule:
- Under Security Policies, click Create policy, then chose AWS WAF
- Select a region. Use Global to protect a CloudFront Distribution
- Give the policy an easily understandable name
- Select the rule groups for WAF to evaluate as well as the default action
- Select the accounts or organizational units this policy will apply to
- Chose the types of resources to protect, which tags to look for, and which tags to apply to the policy
Security Groups
Security Groups are stateful managed firewalls which can be attached to certain resources such as EC2 instances. They are an essential part of a network security strategy. Security Groups use rules to determine which traffic is allowed. These rules consist of a direction (ingress/egress), a source (IP or security group), a protocol, and a port. Firewall Manager can simplify and automate the process of deciding which security groups to apply to certain instances. For example, a policy stating that all instances with a tag of “Application 1” within “Organizational Unit 1” will get the “Application 1” policy applied. This means that all EC2 instances with that tag in that organizational unit will get the same security group attached and as an added benefit, Firewall Manager will continuously monitor compliance to this policy.
Source: Amazon AWS
- Under Security Policies, click Create policy, then chose Security Group
- Choose the region for this policy and Common security groups as the policy type
- Give the policy an easily understandable name
- Under Add primary security group, create a new security group to use in the desired region. Add this security group to the policy
- For the Policy action, choose Apply policy rules and identify resources that are non-compliant but do not auto remediate so Firewall Manager monitors the compliance of the rule without modifying it
- Choose an appropriate scope, such as limiting this policy to EC2 instances with specific tags
Firewall Manager will now add this security group to all desired instances, automatically add them to new instances, and monitor the attachment status.
Conclusion
Creating Firewall Manager policies is simple and impactful. It allows AWS users to apply various rules per account or organizational unit without resorting to manual work, home-grown automation, or third party tools. Centralized management reduces administrative overhead and, because of AWS Config, FIrewall Manager can continuously monitor compliance to its policies.