**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# AWS Firewall Manager integration with AWS Security Hub CSPM
<a name="fms-findings"></a>

This page explains how to use Firewall Manager and Security Hub CSPM together.

AWS Firewall Manager creates findings for resources that are out of compliance and for attacks that it detects, and it sends them to AWS Security Hub CSPM. For information about Security Hub CSPM findings, see [Findings in AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html).

When you use Security Hub CSPM and Firewall Manager, Firewall Manager automatically sends your findings to Security Hub CSPM. For information about getting started with Security Hub CSPM, see [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the [AWS Security Hub CSPM User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html).

**Note**  
Firewall Manager only updates findings for policies that are under its management and for resources that it's monitoring.   
Firewall Manager doesn't resolve findings for the following:   
Policies that have been deleted.
Resources that have been deleted.
Resources that have gone out of scope of the Firewall Manager policy, for example due to tag change or policy definition change.

**How do I view my Firewall Manager findings?**  
To view your Firewall Manager findings in Security Hub CSPM, follow the guidance at [Working with Findings in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html#securityhub-managing-findings) and create a filter using the following settings: 
+ Attribute set to **Product Name**.
+ Operator set to **EQUALS**.
+ Value set to `Firewall Manager`. This setting is case sensitive.

**Can I disable this?**  
You can disable the integration of AWS Firewall Manager findings with Security Hub CSPM through the Security Hub CSPM console. Choose **Integrations** in the navigation bar, then in the Firewall Manager pane, choose **Disable Integration**. For more information, see the [AWS Security Hub CSPM User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html).

**Topics**
+ [

# AWS WAF policy Firewall Manager findings
](waf-policy-findings.md)
+ [

# AWS Shield Advanced policy Firewall Manager findings
](shield-policy-findings.md)
+ [

# Security group common policy Firewall Manager findings
](security-group-common-policy-findings.md)
+ [

# Security group content audit policy Firewall Manager findings
](security-group-content-audit-policy-findings.md)
+ [

# Security group usage audit policy Firewall Manager findings
](security-group-usage-audit-policy-findings.md)
+ [

# Amazon Route 53 Resolver DNS Firewall policy Firewall Manager findings
](dns-firewall-policy-findings.md)
+ [

# AWS Config Firewall Manager findings
](aws-config-firewall-manager-findings.md)

# AWS WAF policy Firewall Manager findings
<a name="waf-policy-findings"></a>

This page explains Firewall Manager findings for AWS WAF policies.

You can use Firewall Manager AWS WAF policies to apply AWS WAF rule groups to your resources in AWS Organizations. For more information, see [Using AWS Firewall Manager policies](working-with-policies.md).

**Resource is missing Firewall Manager managed web ACL.**  
An AWS resource doesn't have the AWS Firewall Manager managed web ACL association in accordance with the Firewall Manager policy. You can enable Firewall Manager remediation on the policy to correct this. 
+ Severity – 80
+ Status settings – PASSED/FAILED
+ Updates – If Firewall Manager performs the remediation action, it will update the finding and the severity will lower from `HIGH` to `INFORMATIONAL`. If you perform the remediation, Firewall Manager will not update the finding. 

**Firewall Manager managed web ACL has misconfigured rule groups.**  
This is a AWS WAF Classic policy finding. The rule groups in a web ACL that's managed by Firewall Manager are not configured correctly, according to the Firewall Manager policy. This means that the web ACL is missing the rule groups that the policy requires. You can enable Firewall Manager remediation on the policy to correct this. 
+ Severity – 80
+ Status settings – PASSED/FAILED
+ Updates – If Firewall Manager performs the remediation action, it will update the finding and the severity will lower from `HIGH` to `INFORMATIONAL`. If you perform the remediation, Firewall Manager will not update the finding. 

# AWS Shield Advanced policy Firewall Manager findings
<a name="shield-policy-findings"></a>

This page explains Firewall Manager findings for AWS Shield Advanced policies.

For information about AWS Shield Advanced policies, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

**Resource lacks Shield Advanced protection.**  
An AWS resource that should have Shield Advanced protection, according to the Firewall Manager policy, doesn't have it. You can enable Firewall Manager remediation on the policy, which will enable the protection for the resource. 
+ Severity – 60
+ Status settings – PASSED/FAILED
+ Updates – If Firewall Manager performs the remediation action, it will update the finding and the severity will lower from `HIGH` to `INFORMATIONAL`. If you perform the remediation, Firewall Manager will not update the finding. 

**Shield Advanced detected attack against monitored resource.**  
Shield Advanced detected an attack on a protected AWS resource. You can enable Firewall Manager remediation on the policy.
+ Severity – 70
+ Status settings – None
+ Updates – Firewall Manager does not update this finding.

# Security group common policy Firewall Manager findings
<a name="security-group-common-policy-findings"></a>

This page explains Firewall Manager findings for security group common policies.

For information about security group common policies, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

**Resource has misconfigured security group.**  
Firewall Manager has identified a resource that is missing the Firewall Manager managed security group associations that it should have, according to the Firewall Manager policy. You can enable Firewall Manager remediation on the policy, which creates the associations according to the policy settings. 
+ Severity – 70
+ Status settings – PASSED/FAILED
+ Updates – Firewall Manager updates this finding.

**Firewall Manager replica security group is out of sync with primary security group.**  
A Firewall Manager replica security group is out of sync with its primary security group, according to their common security group policy. You can enable Firewall Manager remediation on the policy, which syncs the replica security groups with the primary.
+ Severity – 80
+ Status settings – PASSED/FAILED
+ Updates – Firewall Manager updates this finding.

# Security group content audit policy Firewall Manager findings
<a name="security-group-content-audit-policy-findings"></a>

This page explains Firewall Manager findings for security group content audit policies.

For information about security group content audit policies, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

**Security group is not in compliance with content audit security group.**  
A Firewall Manager security group content audit policy has identified a noncompliant security group. This is a customer-created security group that's in scope of the content audit policy and that doesn't comply with the settings defined by the policy and its audit security group. You can enable Firewall Manager remediation on the policy, which modifies the noncompliant security group to bring it into compliance.
+ Severity – 70
+ Status settings – PASSED/FAILED
+ Updates – Firewall Manager updates this finding.

# Security group usage audit policy Firewall Manager findings
<a name="security-group-usage-audit-policy-findings"></a>

This page explains Firewall Manager findings for security group usage audit policies.

For information about security group usage audit policies, see [Using security group policies in Firewall Manager to manage Amazon VPC security groups](security-group-policies.md).

**Firewall Manager found redundant security group.**  
The Firewall Manager security group usage audit has identified a redundant security group. This is a security group with an identical rules set as another security group within the same Amazon Virtual Private Cloud instance. You can enable Firewall Manager automatic remediation on the usage audit policy, which replaces redundant security groups and with a single security group.
+ Severity – 30
+ Status settings – None
+ Updates – Firewall Manager does not update this finding.

**Firewall Manager found unused security group.**  
The Firewall Manager security group usage audit has identified an unused security group. This is a security group that's not referenced by any Firewall Manager common security group policy. You can enable Firewall Manager automatic remediation on the usage audit policy, which removes unused security groups.
+ Severity – 30
+ Status settings – None
+ Updates – Firewall Manager does not update this finding.

# Amazon Route 53 Resolver DNS Firewall policy Firewall Manager findings
<a name="dns-firewall-policy-findings"></a>

This page explains Firewall Manager findings for Amazon Route 53 Resolver DNS Firewall policies.

For information about DNS Firewall policies, see [Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager](dns-firewall-policies.md).

**Resource is missing DNS Firewall protection**  
A VPC is missing a DNS Firewall rule group association that's defined in the Firewall Manager DNS Firewall policy. The finding lists the rule group that's specified by the policy.
+ Severity – 80

# AWS Config Firewall Manager findings
<a name="aws-config-firewall-manager-findings"></a>

This page explains Firewall Manager findings for AWS Config.

For information about AWS Config, see [Enabling AWS Config for using Firewall Manager](enable-config.md).

**Account does not have AWS Config enabled in the Region.**  
Firewall Manager requires AWS Config to be enabled in your account and Region. To resolve this issue, enable AWS Config in the account and Region where you want to use Firewall Manager.
+ Status settings – PASSED/FAILED
+ Updates – Firewall Manager updates this finding.

**Note**  
After you enable AWS Config, the compliance status changes to PASS, but the severity remains HIGH.

**Note**  
In order for Firewall Manager to monitor policy compliance, AWS Config must continuously record configuration changes for protected resources. In your AWS Config configuration, the recording frequency must be set to **Continuous**, which is the default setting.