AWS Firewall Manager and Prerequisites
AWS Firewall Manager and Prerequisites

This course explores how to use the AWS Firewall Manager to manage firewall rules across multiple AWS accounts, with the help of AWS Organizations.

Learning Objectives

  • Understand what Firewall Manager is and the service that it provides
  • Learn the prerequisites required for using the service
  • Understand the different Firewall Manager policies supported
  • Learn how to configure a number of different policies

Intended Audience

  • Security architects who are responsible for mitigating risks and exposures to AWS resources and applications
  • Anyone who requires a deeper understanding of AWS Firewall Manager in preparation for an AWS certification


To get the most out of this course, it would be beneficial to have a basic understanding of the following services:

  • AWS Web Application Firewall service
  • AWS Organizations
  • Amazon CloudFront
  • Amazon VPC Security Groups

Hello, and welcome to this lecture, where I should provide an overview of AWS Firewall Manager, so, you can understand what the service is used for. The core function of AWS Firewall Manager is to help you simplify the management of being able to provide security protection to a range of different resources, between multiple AWS accounts. It's the fact that it works across multiple account infrastructure, that gives this service a lot of power from a security perspective. So, it's a great tool to become familiar with, if you are responsible for security across more than one AWS account.

Once your configured security policies to govern the protections that you require for your resources, AWS Firewall Manager, will then automatically apply this protection in addition to managing this protection for any newly creative resources, that match your configuration across any of your accounts that it has responsibility for. So, once it's set up, the management and protection efforts are simplified dramatically, across your entire organization.

The current AWS services and resources that Firewall Manager provides protection for and integrate with, include the following; AWS WAF, AWS Shield Advanced, AWS Network Firewall, VPC Security Groups and Amazon Route 53 Resolver DNS Firewall. In addition to these resources that are protected, Firewall Manager is also closely integrated with AWS Organizations. In fact, running AWS Organizations is a prerequisite of using Firewall Manager. For those I'm familiar with AWS Organizations, it's a service which provides a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization.

Let's look at the prerequisites of Firewall Manager in a little more detail, to allow you to begin using the service. So, the first step is to decide which AWS account will be used as your Firewall Manager Administrator account. And this account will be used to essentially manage your security policies. Next, you must ensure that this account is a part of an AWS Organization. However, the that it joins must be configured with all features enabled, and not just consolidated billing.

When your account has successfully joined an AWS Organization, you must then configure AWS Firewall Manager within that account, as the Firewall Manager Administrator Account. And this administrator account is used to create a manager security policies. To delegate your account as the administrator, open the Firewall Manager Console, select, get started and enter the account number of your AWS account. Once you've added your AWS account to an AWS Organization and designated the Firewall Manager administrative account, you'll see confirmation ticked on the Firewall Manager dashboard as seen to reflect that you have met these prerequisites.

Next, you must enable AWS config for your account, and for any other account in the AWS Organization that you want to manage resource security for. And it must be enabled for each region in that account, in which the resources reside. If you don't want to enable AWS conflict for all resources in each of your accounts, then you must ensure that you enable the following depending on which resources you want Firewall Manager to secure. The next step is optional, depending on if you are looking to apply security policies for all Network Firewalls and DNS Firewalls.

Then you must enable sharing with AWS Organizations in AWS Resource Access Manager. By doing so, it allows you to deploy security policies to these resource types, using Firewall Manager across your accounts in your organization. To complete this configuration, you must open the settings page in the AWS Resource Access Manager Console, and then from here, select, enable sharing with AWS Organizations, and then select, safe settings.

The final step allows Firewall Manager to manage resources in regions, that might be disabled by default. So, you must enable these regions before you can create and managed resources within them. These regions must being enabled in the AWS management account, for your AWS Organization, in addition to the AWS account designated as your Firewall Administrator account. Enabling a region is a simple process. From within the AWS Management Console, navigate to the top right corner and select your account, and then select my account, scroll down to regions section and select, enable in the action column, for the regions that you would like to enable. Once you've completed these initial steps you are ready to begin configuring AWS Firewall Manager and its policies.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.