Identity & Access Management
Key Management Service (KMS)
AWS Secrets Manager
AWS Web Application Firewall
AWS Firewall Manager
The course is part of this learning path
This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. In addition to IAM, this course covers a range of other security services covering encryption and access control
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
- Learn how to secure your AWS accounts using AWS Organizations
- Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
- Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO
Hello and welcome to the first lecture covering AWS Firewall Manager. We now know and understand what the AWS WAF service is and what it's used for. However, consider having multiple AWS accounts, all linked within an AWS Organization. If you have resources in these accounts that also need to be protected using WAF, perhaps when using CloudFront distributions, for example, it would be an administrative burden to repeat many of your configured rules across multiple accounts. Thankfully, AWS Firewall Manager has been designed to help you resolve this issue. Firewall Manager has been designed to help you manage WAF in a multi-account environment with simplicity and control. It allows you to protect your vulnerable resources across all of your AWS accounts within your AWS Organization. It can group and protect specific resources together, for example, all resources with a particular tag or all of your CloudFront distributions. One key benefit of Firewall Manager is that it automatically protects certain resources that are added to your account as they become active. Now, before using the Firewall Manager, there are a number of prerequisites that you need to meet, these being: you must ensure that your AWS Account is a part of an AWS Organization.
However, the Organization must have been configured with all features, not just consolidated billing, otherwise it will not work. For more information on AWS Organizations, please take a look at the following link. You must also define which AWS account will act as the Firewall Manager Admin account. And lastly, ensure you have AWS Config enabled. More information on AWS Config can be found on our existing course here. Let me now provide a quick demonstration on how to fulfill these three requirements. Okay, so for this demonstration we need to do three things. We need to setup an AWS Organization with all features enabled, not just the consolidated billing. We also need to decide which AWS account we're gonna use as the Master account, and then also we need check to make sure we've got AWS Config enabled. So the first thing to do is to really understand which account you're going to be using as the Master. So this account that I've logged into at the moment I'm going to be using as our Master account, and so from this account I'm going to also create an AWS Organization as well. Now, if you've already got AWS Organizations configured and setup, then you can skip this step. So let me start off by finding the Organization console, and, if you don't have any Organizations setup at all, then you'll be presented with this screen. So I'm gonna show you how to create it from scratch. So, from here, I can click on Create organization and this'll just bring up a pop-up screen just to show you some of the benefits you get when creating organizations. Now the default is that you'll create an organization with all features. If you just wanted to create an organization with consolidated billing features only, then you can click on this link down here, but remember we need all features enabled for the Firewall Manager to work. So, from here, I'll click on Create organization, and then once your organization is created it'll show it within this list here under the Account name and the start signifies that this is the Master account.
At this point when you setup a new organization, the account owner will receive an email to verify the new AWS Organization that you've setup. So, once you've verified that organization, what you can then do is invite your other member accounts that you want to be included under the Firewall Manager. Now to do that we simply go across to Invitations, and then across to Invite account. Now, if you have an existing account, you can use the Invite account option here, and then enter the account ID or, if you want you to create a new account and add it to this organization, then you can do so using this option here, but I've already got another account setup. So I'm just simply going to add the account ID, and then once I've entered the account ID I can add some Notes as well if I want to and then I simply click on Invite. And that shows that this account has been invited to join to this AWS Organization. Now what I need to do is go across to this member account and accept that invitation. So let's do that now. So I'm now logged into that second account, and, if I go to AWS Organizations, I can see over on the left-hand side here I have an Invitation. So, if you click on Invitations, it shows you the Organization ID and the account name and the Requested controls and we enabled all features. So here we can simply Accept or Decline this invitation.
I'm going to click on Accept and then a splash screen just comes up just to let you know that you're about to join the organization and want you to Confirm. And that's it. It now says your account belongs to the following organization. So now we've completed the first step. We've setup the AWS Organization with the Master account, and also this member account. Now I want to define which of my accounts is going to be the administrative account for the AWS Firewall Manager, and, for this, I'm gonna go back to the account that's setup the organization and I'm gonna use that as the administrative and Master account for the Firewall Manager. So let me switch back to that account. Okay, so I'm now back in my Master account where I setup the AWS Organization. So what I need to do to designate this account is the administrator account for the Firewall Manager.
I need to go the WAF service, and here on the right-hand side we can see AWS Firewall Manager. Now, if we go into the Firewall Manager console, we can see that we have our prerequisites here. Now it's saying that we already have this AWS account in an organization as we have a tick, but we haven't fulfilled this prerequisite here where we must designate an account as the AWS Firewall Manager administrator account. Now we know we haven't done that, which is why we're at this stage now, and to set this account as the administrator account we can click on Get started and all we need to simply do is add in the AWS account ID that we want to be the administrator. So, if I just paste that in and then simply click on Set administrator, and it gives you a confirmation message saying are you sure you want to proceed? And then once you're sure just click on Set administrator and that's it. Now, this AWS account will now act as the AWS Firewall Manager administrator account. So that's the second prerequisite fulfilled. Lastly, we just need to make sure we're running AWS Config. Now I already have AWS Config running on this account, so if I swap over to the member account in our AWS organization and I'll show you just very quickly how to setup AWS Config on there. Type in config, and we can see here that we don't have AWS Config enabled at the moment. So what we need to do is click on Get started. For the sake of this demonstration I'm just gonna accept all default options here about which resources to track and the Amazon S3 bucket et cetera and creating the AWS Config role.
If you need more information on AWS Config, then we do have a course dedicated to this, and it goes into to the configuration of it at quite some depth. So I'm gonna click on Next. I'm not gonna have any AWS Config rules at the moment, so I'll skip this step and there's just a Review screen at the end and I'm just gonna click on Confirm. And you wanna make sure that you have AWS Config enabled on all of your accounts that you want to use with AWS Firewall Manager. Okay, so that's AWS Config setup. So now we have carried out all three prerequisites. We've decided on the Master account. We've setup an AWS organization and have added our member accounts as required and we've enabled AWS Config. So now if I go back to the Master account, and, if I go to the organizations, we can now see that the other account is a part of the same organization and we can see the date that they joined as well. So now if we go across to the AWS Firewall Manager, which is under the WAF Management Console, and we go across to the AWS Firewall Manager here we can see that we've met all the prerequisites that are required to begin creating our AWS Firewall Manager policies. And that's it. That now brings me to the end of this lecture. Coming up next I will explain some of the components used by the Firewall Manager to enable you to manage and control your WAF rules across different accounts.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.