Identity & Access Management
Key Management Service (KMS)
AWS Secrets Manager
AWS Web Application Firewall
AWS Firewall Manager
The course is part of this learning path
This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. In addition to IAM, this course covers a range of other security services covering encryption and access control
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
- Learn how to secure your AWS accounts using AWS Organizations
- Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
- Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO
Hello, and welcome to this lecture, where I shall demonstrate how to create an AWS Firewall Manager Policy, containing Rule Groups and WAF Rules. Okay, so I'm at the dashboard of my AWS Management Console, and I firstly need to go to the WAF & Shield service. So if I go across, if I then scroll down to the bottom, where it says AWS FMS, which is the Firewall Management Service, click on security policies, and we can see here that I don't have any security policies created at the moment. If I click on the blue button, create policy, it's a similar setup to the demonstration I gave earlier when I showed you how to configure WAF, where on the left hand side it gave you a number of steps to complete, and it started off with a concept overview. So you can take a read through that concept overview if you wish. Then at the bottom you have two options, one to create an AWS Firewall Manager policy, and add existing rule groups that you may have already created, or to create an AWS Firewall Manager policy and add a new rule group. For this demonstration I'm going to select the second option, so I can show you how to create a new rule group. So once you've made that selection click on next. Now, here we have our conditions, and these conditions are exactly the same as we had in the WAF demonstration earlier, and if we scroll down we can still see that we have the same conditions from the demonstration we created earlier. So it picks up the same information that you've already created in WAF. So once you are happy with creating your conditions then you simply click on next. Now step two is where you need to create the rules, just like we did earlier in the previous demonstration when configuring WAF. So, to create a new rule it still has exactly the same options.
So I'm just going to leave that for this demonstration as we've done that in the previous one. And as we can see here, we have our previous rule that we created earlier. Click on next. Now we have our rule groups, and the rule groups contain multiple rules and define what actions to take when any of the rules match a request. So we don't have any rule groups configured at the minute for Firewall Manager, so let's set one up. Click on create rule group. And we'll call this our FirewallRule. And again, we have a CloudWatch metric name, the region that we specified earlier. And if we go down to rules in this group, we can select our rules. Now we only have one rule, but if you have more than that, all will be listed here. Click on add rule, and here you can see that we can specify an action. Now remember, the Firewall Manager policies only allow other block or count actions, so we're gonna leave this as block. And if you wanted more rules, you'd simply click on the dropdown list and add all the appropriate rules that you want. Click on create. And now we have our rule group created, and then we can see the name FirewallRules. Click on next. Now this is the first part of the policy itself, so those first three steps that we just carried out were, creating the conditions, the rules, and the rule group. So a lot of those elements are pulled from WAF, but you can create them from here as well. Now the next section is to do with creating the firewall policy. And the first part is to describe the policy and add rule groups. Just call it MyPolicy.
If you go down to the rule groups, now we can see the rule groups here, that we just created, and if we had more than one rule group then we'd see it in this dropdown list here, and we can add it to the same policy. Now the action has been specified by the rule group, or we can change it here to count. But we're gonna use the action specified by the rule group, which was block. Now remember, if you did want to add more than one rule group to a policy, you can only have one customer rule group and one AWS Marketplace rule group. Click on next. This section defines the scope of the policy, and you can select accounts to either include or exclude from this policy, which is optional. Just gonna leave that as default. And we can select resource types that will be protected, and we want a CloudFront distribution, which is why we selected the global option in the region selector earlier. Now you can either use tags to include or exclude resources, so if you have tags with specific keys and values then you can add them in there. For this demonstration, I'm just gonna leave that blank. Now you have two options at the bottom here, you can either create and apply this policy to existing and new resources, or simply, just create the policy, but don't apply to any resources at the minute. Now if you look at the first option, it explains that this option will create a web ACL in each account within the AWS Organization, and associate the web ACL with the resources in the accounts. The second option, it will simply create a web ACL in each account within the organization, but it will not apply that web ACL to any resources.
So for this demonstration, I'm simply just going to create the policy, but not apply it to any resources. Click on next. Then we have a final review screen, where it'll just give you the name of the policy that you created and the region, whether you selected it for CloudFront or an application load balancer. The rule groups within your policy, and the associated action, and it states that all accounts in your AWS Organization will be protected by this policy. We haven't applied any resource tags, and it shows that this policy is to be created but not be applied to any resources. And it will apply to all CloudFront distribution resources. At the bottom here, you have a message stating that you must enable Config for each member account in your AWS Organization, which we done earlier. And at the bottom here it also states that, in addition to your Firewall Manager charges, you'll also incur charges for AWS Config. Before you can create your policy, you must click on the tick box, and then click create. Now I'm not going to click on create, because if I do then that'll cost $100 for each policy. This is the end of the demonstration, but once you are happy with your configuration and your policy, you simply click create. And that's the final stage.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.