AWS Firewall Manager and Prerequisites
AWS Firewall Manager and Prerequisites
4h 50m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

Hello, and welcome to this lecture, where I should provide an overview of AWS Firewall Manager, so, you can understand what the service is used for. The core function of AWS Firewall Manager is to help you simplify the management of being able to provide security protection to a range of different resources, between multiple AWS accounts. It's the fact that it works across multiple account infrastructure, that gives this service a lot of power from a security perspective. So, it's a great tool to become familiar with, if you are responsible for security across more than one AWS account.

Once your configured security policies to govern the protections that you require for your resources, AWS Firewall Manager, will then automatically apply this protection in addition to managing this protection for any newly creative resources, that match your configuration across any of your accounts that it has responsibility for. So, once it's set up, the management and protection efforts are simplified dramatically, across your entire organization.

The current AWS services and resources that Firewall Manager provides protection for and integrate with, include the following; AWS WAF, AWS Shield Advanced, AWS Network Firewall, VPC Security Groups and Amazon Route 53 Resolver DNS Firewall. In addition to these resources that are protected, Firewall Manager is also closely integrated with AWS Organizations. In fact, running AWS Organizations is a prerequisite of using Firewall Manager. For those I'm familiar with AWS Organizations, it's a service which provides a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization.

Let's look at the prerequisites of Firewall Manager in a little more detail, to allow you to begin using the service. So, the first step is to decide which AWS account will be used as your Firewall Manager Administrator account. And this account will be used to essentially manage your security policies. Next, you must ensure that this account is a part of an AWS Organization. However, the that it joins must be configured with all features enabled, and not just consolidated billing.

When your account has successfully joined an AWS Organization, you must then configure AWS Firewall Manager within that account, as the Firewall Manager Administrator Account. And this administrator account is used to create a manager security policies. To delegate your account as the administrator, open the Firewall Manager Console, select, get started and enter the account number of your AWS account. Once you've added your AWS account to an AWS Organization and designated the Firewall Manager administrative account, you'll see confirmation ticked on the Firewall Manager dashboard as seen to reflect that you have met these prerequisites.

Next, you must enable AWS config for your account, and for any other account in the AWS Organization that you want to manage resource security for. And it must be enabled for each region in that account, in which the resources reside. If you don't want to enable AWS conflict for all resources in each of your accounts, then you must ensure that you enable the following depending on which resources you want Firewall Manager to secure. The next step is optional, depending on if you are looking to apply security policies for all Network Firewalls and DNS Firewalls.

Then you must enable sharing with AWS Organizations in AWS Resource Access Manager. By doing so, it allows you to deploy security policies to these resource types, using Firewall Manager across your accounts in your organization. To complete this configuration, you must open the settings page in the AWS Resource Access Manager Console, and then from here, select, enable sharing with AWS Organizations, and then select, safe settings.

The final step allows Firewall Manager to manage resources in regions, that might be disabled by default. So, you must enable these regions before you can create and managed resources within them. These regions must being enabled in the AWS management account, for your AWS Organization, in addition to the AWS account designated as your Firewall Administrator account. Enabling a region is a simple process. From within the AWS Management Console, navigate to the top right corner and select your account, and then select my account, scroll down to regions section and select, enable in the action column, for the regions that you would like to enable. Once you've completed these initial steps you are ready to begin configuring AWS Firewall Manager and its policies.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.