An Introduction to AWS Firewall Manager

An Introduction to AWS Firewall Manager

An Introduction to AWS Firewall Manager

Historically, AWS accounts were logically separated from each other which was a limitation for multi-account customers because AWS resources were scoped to a single account. As customer needs evolved, such as requiring SSO and centralized management, AWS rolled out a new service to meet those needs - AWS Organizations. From the official AWS documentation:

“AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.”

AWS Organizations allows customers to create multiple AWS accounts while maintaining a central authority. It groups accounts into Organizational Units which can leverage Resource Access Manager to share resources and have Service Control Policies (SCPs) applied to them. For a primer on SCPs, check out our blog and our repo with plenty of production ready policies written in Terraform.

Check out our blog: Using Terraform to Secure Your AWS Organizations

Check out our blog: Using Terraform to Secure Your AWS Organizations

At first, Organizations created a new challenge when creating and maintaining rules to control ingress into each account. AWS Firewall Manager was created to solve this challenge and simplify managing rules in various network security services such as AWS WAF, AWS Shield, Security Groups, and AWS Network Firewalls. AWS Firewall Manager allows customers to manage all of these rules, across the organization, using a single, centralized account.

Getting Started

Since Firewall Manager was created to simplify managing multi-account firewall rules, it requires AWS Organizations to be set up. Once a Firewall Manager administration account has been designated, configure AWS Config to monitor at least the network security resources - WAF policies, Shield policies, Security Groups, Network Firewall policies, and DNS Firewall policies. Finally, enable resource sharing within the organization. The Firewall Manager administration account can now be used to manage network security rules across the entire AWS organization. This blog will outline how to use it to centrally manage AWS WAF and Security Group policies.


AWS WAF is a managed web application firewall which can monitor HTTP/S requests to public AWS endpoints (more on AWS WAF for Risk Mitigation).

Read more on AWS WAF for Risk Mitigation

Read more on AWS WAF for Risk Mitigation

WAF rules are attached to these endpoints which can block/allow requests based on specific conditions or known attacks, such as SQL injection. Firewall Manager can greatly reduce the burden of managing various WAF rules for different services. Instead of attaching WAF rules per resource, Firewall Manager policies can be created to automatically attach WAF rules to specific resources based on various conditions.



Source: Amazon AWS

Creating a Firewall Manager policy for AWS WAF is very similar to making a WAF rule:

  1. Under Security Policies, click Create policy, then chose AWS WAF
  2. Select a region. Use Global to protect a CloudFront Distribution
  3. Give the policy an easily understandable name
  4. Select the rule groups for WAF to evaluate as well as the default action
  5. Select the accounts or organizational units this policy will apply to
  6. Chose the types of resources to protect, which tags to look for, and which tags to apply to the policy

Security Groups

Security Groups are stateful managed firewalls which can be attached to certain resources such as EC2 instances. They are an essential part of a network security strategy. Security Groups use rules to determine which traffic is allowed. These rules consist of a direction (ingress/egress), a source (IP or security group), a protocol, and a port. Firewall Manager can simplify and automate the process of deciding which security groups to apply to certain instances. For example, a policy stating that all instances with a tag of “Application 1” within “Organizational Unit 1” will get the “Application 1” policy applied. This means that all EC2 instances with that tag in that organizational unit will get the same security group attached and as an added benefit, Firewall Manager will continuously monitor compliance to this policy.

Security groups central management with Firewall Manager

Security groups central management with Firewall Manager

Source: Amazon AWS

  1. Under Security Policies, click Create policy, then chose Security Group
  2. Choose the region for this policy and Common security groups as the policy type
  3. Give the policy an easily understandable name
  4. Under Add primary security group, create a new security group to use in the desired region. Add this security group to the policy
  5. For the Policy action, choose Apply policy rules and identify resources that are non-compliant but do not auto remediate so Firewall Manager monitors the compliance of the rule without modifying it
  6. Choose an appropriate scope, such as limiting this policy to EC2 instances with specific tags

Firewall Manager will now add this security group to all desired instances, automatically add them to new instances, and monitor the attachment status.


Creating Firewall Manager policies is simple and impactful. It allows AWS users to apply various rules per account or organizational unit without resorting to manual work, home-grown automation, or third party tools. Centralized management reduces administrative overhead and, because of AWS Config, FIrewall Manager can continuously monitor compliance to its policies.

The information presented in this article is accurate as of July 22, 2021. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!

Securing App Engine Applications

App Engine Security GuardRails.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

San Diego, CA 92120, United States


© 2023 ScaleSec. All rights reserved. | Privacy Policy