Firewall Manager examples using AWS CLI
The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Firewall Manager.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-admin-account
.
- AWS CLI
-
To set the Firewall Manager administrator account
The following
associate-admin-account
example sets the administrator account for Firewall Manager.aws fms associate-admin-account \ --admin-account
123456789012
This command produces no output.
For more information, see Set the AWS Firewall Manager Administrator Account in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see AssociateAdminAccount
in AWS CLI Command Reference.
-
The following code example shows how to use delete-notification-channel
.
- AWS CLI
-
To remove the SNS topic information for Firewall Manager logs
The following
delete-notification-channel
example removes the SNS topic information.aws fms delete-notification-channel
This command produces no output.
For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see DeleteNotificationChannel
in AWS CLI Command Reference.
-
The following code example shows how to use delete-policy
.
- AWS CLI
-
To delete a Firewall Manager policy
The following
delete-policy
example removes the policy with the specified ID, along with all of its resources.aws fms delete-policy \ --policy-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --delete-all-policy-resourcesThis command produces no output.
For more information, see Working with AWS Firewall Manager Policies in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see DeletePolicy
in AWS CLI Command Reference.
-
The following code example shows how to use disassociate-admin-account
.
- AWS CLI
-
To remove the Firewall Manager administrator account
The following
disassociate-admin-account
example removes the current administrator account association from Firewall Manager.aws fms disassociate-admin-account
This command produces no output.
For more information, see Set the AWS Firewall Manager Administrator Account in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see DisassociateAdminAccount
in AWS CLI Command Reference.
-
The following code example shows how to use get-admin-account
.
- AWS CLI
-
To retrieve the Firewall Manager administrator account
The following
get-admin-account
example retrieves the administrator account.aws fms get-admin-account
Output:
{ "AdminAccount": "123456789012", "RoleStatus": "READY" }
For more information, see AWS Firewall Manager Prerequisites in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see GetAdminAccount
in AWS CLI Command Reference.
-
The following code example shows how to use get-compliance-detail
.
- AWS CLI
-
To retrieve the compliance information for an account
The following
get-compliance-detail
example retrieves compliance information for the specified policy and member account.aws fms get-compliance-detail \ --policy-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --member-account123456789012
Output:
{ "PolicyComplianceDetail": { "EvaluationLimitExceeded": false, "IssueInfoMap": {}, "MemberAccount": "123456789012", "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyOwner": "123456789012", "Violators": [] }
For more information, see Viewing Resource Compliance with a Policy in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see GetComplianceDetail
in AWS CLI Command Reference.
-
The following code example shows how to use get-notification-channel
.
- AWS CLI
-
To retrieve the SNS topic information for Firewall Manager logs
The following
get-notification-channel
example retrieves the SNS topic information.aws fms get-notification-channel
Output:
{ "SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:us-west-2-fms", "SnsRoleName": "arn:aws:iam::123456789012:role/aws-service-role/fms.amazonaws.com/AWSServiceRoleForFMS" }
For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see GetNotificationChannel
in AWS CLI Command Reference.
-
The following code example shows how to use get-policy
.
- AWS CLI
-
To retrieve a Firewall Manager policy
The following
get-policy
example retrieves the policy with the specified ID.aws fms get-policy \ --policy-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "Policy": { "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyName": "test", "PolicyUpdateToken": "1:p+2RpKR4wPFx7mcrL1UOQQ==", "SecurityServicePolicyData": { "Type": "SECURITY_GROUPS_COMMON", "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":true,\"exclusiveResourceSecurityGroupManagement\":false,\"securityGroups\":[{\"id\":\"sg-045c43ccc9724e63e\"}]}" }, "ResourceType": "AWS::EC2::Instance", "ResourceTags": [], "ExcludeResourceTags": false, "RemediationEnabled": false }, "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/d1ac59b8-938e-42b3-b2e0-7c620422ddc2" }
For more information, see Working with AWS Firewall Manager Policies in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see GetPolicy
in AWS CLI Command Reference.
-
The following code example shows how to use list-compliance-status
.
- AWS CLI
-
To retrieve the policy compliance information for member accounts
The following
list-compliance-status
example retrieves member account compliance information for the specified policy.aws fms list-compliance-status \ --policy-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "PolicyComplianceStatusList": [ { "PolicyOwner": "123456789012", "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyName": "test", "MemberAccount": "123456789012", "EvaluationResults": [ { "ComplianceStatus": "COMPLIANT", "ViolatorCount": 0, "EvaluationLimitExceeded": false }, { "ComplianceStatus": "NON_COMPLIANT", "ViolatorCount": 2, "EvaluationLimitExceeded": false } ], "LastUpdated": 1576283774.0, "IssueInfoMap": {} } ] }
For more information, see Viewing Resource Compliance with a Policy in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see ListComplianceStatus
in AWS CLI Command Reference.
-
The following code example shows how to use list-member-accounts
.
- AWS CLI
-
To retrieve the member accounts in the organization
The following
list-member-accounts
example lists all of the member accounts that are in the Firewall Manager administrator's organization.aws fms list-member-accounts
Output:
{ "MemberAccounts": [ "222222222222", "333333333333", "444444444444" ] }
For more information, see AWS Firewall Manager in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see ListMemberAccounts
in AWS CLI Command Reference.
-
The following code example shows how to use list-policies
.
- AWS CLI
-
To retrieve all Firewall Manager policies
The following
list-policies
example retrieves the list of policies for the account. In this example, the output is limited to two results per request. Each call returns aNextToken
that can be used as the value for the--starting-token
parameter in the nextlist-policies
call to get the next set of results for the list.aws fms list-policies \ --max-items
2
Output:
{ "PolicyList": [ { "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyName": "test", "ResourceType": "AWS::EC2::Instance", "SecurityServiceType": "SECURITY_GROUPS_COMMON", "RemediationEnabled": false }, { "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "PolicyId": "457c9b21-fc94-406c-ae63-21217395ba72", "PolicyName": "test", "ResourceType": "AWS::EC2::Instance", "SecurityServiceType": "SECURITY_GROUPS_COMMON", "RemediationEnabled": false } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ==" }
For more information, see Working with AWS Firewall Manager Policies in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see ListPolicies
in AWS CLI Command Reference.
-
The following code example shows how to use put-notification-channel
.
- AWS CLI
-
To set the SNS topic information for Firewall Manager logs
The following
put-notification-channel
example sets the SNS topic information.aws fms put-notification-channel \ --sns-topic-arn
arn:aws:sns:us-west-2:123456789012:us-west-2-fms
\ --sns-role-namearn:aws:iam::123456789012:role/aws-service-role/fms.amazonaws.com/AWSServiceRoleForFMS
This command produces no output.
For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see PutNotificationChannel
in AWS CLI Command Reference.
-
The following code example shows how to use put-policy
.
- AWS CLI
-
To create a Firewall Manager policy
The following
put-policy
example creates a Firewall Manager security group policy.aws fms put-policy \ --cli-input-json
file://policy.json
Contents of
policy.json
:{ "Policy": { "PolicyName": "test", "SecurityServicePolicyData": { "Type": "SECURITY_GROUPS_USAGE_AUDIT", "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":false,\"coalesceRedundantSecurityGroups\":true}" }, "ResourceType": "AWS::EC2::SecurityGroup", "ResourceTags": [], "ExcludeResourceTags": false, "RemediationEnabled": false }, "TagList": [ { "Key": "foo", "Value": "foo" } ] }
Output:
{ "Policy": { "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "PolicyName": "test", "PolicyUpdateToken": "1:X9QGexP7HASDlsFp+G31Iw==", "SecurityServicePolicyData": { "Type": "SECURITY_GROUPS_USAGE_AUDIT", "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":false,\"coalesceRedundantSecurityGroups\":true,\"optionalDelayForUnusedInMinutes\":null}" }, "ResourceType": "AWS::EC2::SecurityGroup", "ResourceTags": [], "ExcludeResourceTags": false, "RemediationEnabled": false }, "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Working with AWS Firewall Manager Policies in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
-
For API details, see PutPolicy
in AWS CLI Command Reference.
-