Components of Firewall Manager


Key Management Service (KMS)
What is KMS?
Components of KMS
AWS Web Application Firewall
AWS Shield
Start course
5h 2m

This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment.  In addition to IAM, this course covers a range of other security services covering encryption and access control

Learning Objectives

  • Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
  • Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
  • Learn how to secure your AWS accounts using AWS Organizations
  • Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
  • Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO

Hello and welcome to this lecture where I shall introduce the components of the AWS Firewall Manager service. There are primarily three different components to Firewall Manager that allow you to control and manage walls across multiple AWS accounts within your AWS organization. These being, WAF rules, rule groups and Firewall Manager policies. I covered what AWS WAF rules are in a previous lecture so I won't go over the same information again. So next we have rule groups. These simply allow you to group together one or more WAF rules that will all have the same action applied when the conditions are met within a rule. You have two options for your rule groups, you can create your own and add your own WAF rules or you can purchase existing rule groups pre-configured with set AWF WAF rules by the AWF Marketplace. By using the Marketplace rule groups it provides a number of benefits. For example they are all pre-configured and ready to deploy and are supplied by AWS and other AWS approved partner companies. Many of them allow protections against known vulnerabilities, specifically those highlighted within the open web application security project, the OWASP top 10 list, and they could help you to gain compliance to specific regulations such as PCI or HIPAA. Unlike web rules, rule groups can only contain one of two actions. 

These being either block or count. And they have the same meaning as defined within the WAF section. There is no allow action for rule groups. Also you can only have 10 rules per rule group which can't be increased. For other limitations of Firewall Manager please see the following link. Once you have created your rule groups containing your rules, you then have to create an AWS Firewall Manager Policy. This policy simply contains the rule groups that you want to assign to your AWS resources. It's important to point out that you can only have two rule groups per policy, one customer created rule group, and one AWS Marketplace rule group. This limit cannot be changed. So to recap, AWS WAF rules are created or selected first, which as we know contain conditions. WAF rules can then be added to a rule group which will have either a block or a count action associated. Finally, a rule group is then added to an AWS Firewall Manager Policy which is then associated to AWS resources, such as your cloud front distributions or application load balances. Do be aware that the cost of each policy is $100 per policy, per region, per month. That has brought me to the end of this short lecture. Coming up next I will provide a demonstration on how to use and create some of these components to add to our policy.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.