Sharing AWS Network Firewall firewall policies and rule groups
You can share some Network Firewall resources with other accounts. This permits them to use the protections that you define and maintain to protect their resources too.
The owner of a firewall policy or rule group can share a resource with:
-
Specific AWS accounts inside or outside of its organization in AWS Organizations
-
An organizational unit inside its organization in AWS Organizations
-
Its entire organization in AWS Organizations
Warning
You can't share a firewall policy that's configured to use a TLS inspection configuration.
Contents
The owner of a rule group can share a rule group that refers to a resource group, but can't share the resource group itself.
Prerequisites for sharing firewall policies and rule groups
-
To share a firewall policy or rule group, you must own it in your AWS account. You cannot share a firewall policy or rule group that has been shared with you.
-
To share a firewall policy or rule group with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.
Related services
Firewall policy and rule group sharing integrates with AWS Resource Access Manager (AWS RAM). AWS RAM is a service that enables you to share your AWS resources with any AWS account or through AWS Organizations. With AWS RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can be individual AWS accounts, organizational units, or an entire organization in AWS Organizations.
For more information about AWS RAM, see the AWS RAM User Guide.
Sharing across Availability Zones
To ensure that resources are distributed across the Availability Zones for a Region,
we independently map Availability Zones to names for each account. This could lead to
Availability Zone naming differences across accounts. For example, the Availability Zone
us-east-1a
for your AWS account might not have the same location as
us-east-1a
for another AWS account.
To identify the location of your firewall policy or rule group relative to your accounts,
you must use the Availability Zone ID (AZ ID). The AZ ID is a
unique and consistent identifier for an Availability Zone across all AWS accounts. For
example, use1-az1
is an AZ ID for the us-east-1
Region and it
is the same location in every AWS account.
To view the AZ IDs for the Availability Zones in your account
Open the AWS RAM console at https://console.aws.amazon.com/ram
. -
The AZ IDs for the current Region are displayed in the Your AZ ID panel on the right-hand side of the screen.
Sharing a firewall policy or rule group
To share a firewall policy or rule group, you must add it to a resource share. A resource
share is an AWS RAM resource that lets you share your resources across AWS accounts. A
resource share specifies the resources to share, and the consumers with whom they are
shared. When you share a firewall policy or rule group using AWS Network Firewall, you add it to
an existing resource share. To add the firewall policy or rule group to a new resource share,
you must first create the resource share using the AWS RAM console
If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared firewall policies and rule groups. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared firewall policies and rule groups after accepting the invitation.
You can share a firewall policy or rule group that you own using the AWS RAM console, the AWS Network Firewall API, or the AWS CLI.
To share a firewall policy or rule group that you own using the AWS RAM console
See Creating a Resource Share in the AWS RAM User Guide.
To share a firewall policy or rule group that you own using the AWS CLI
Use the create-resource-share command.
To share a firewall policy or rule group that you own using the Network Firewall API
Use the PutResourcePolicy
action. For information about how to use
this, see PutResourcePolicy in the AWS Network Firewall API
Reference.
Unsharing a shared firewall policy or rule group
To unshare a shared firewall policy or rule group that you own, you must remove it from the resource share. You can do this using the AWS RAM console or the AWS CLI.
To unshare a shared firewall policy or rule group that you own using the AWS RAM console
See Updating a Resource Share in the AWS RAM User Guide.
To unshare a shared firewall policy or rule group that you own using the AWS CLI
Use the disassociate-resource-share command.