Setting up AWS Firewall Manager Amazon VPC security group policies
To use AWS Firewall Manager to enable Amazon VPC security groups across your organization, perform the following steps in sequence.
Topics
Step 1: Completing the prerequisites
There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in AWS Firewall Manager prerequisites. Complete all the prerequisites before proceeding to Step 2: Creating a security group to use in your policy.
Step 2: Creating a security group to use in your policy
In this step, you create a security group that you could apply across your organization using Firewall Manager.
Note
For this tutorial, you won't apply your security group policy to the resources in your organization. You'll just create the policy and see what would happen if you applied the policy's security group to your resources. You do this by disabling automatic remediation on the policy.
If you already have a general security group defined, skip this step and go to Step 3: Creating and applying a common security group policy.
To create a security group to use in a Firewall Manager common security group policy
-
Create a security group that you could apply to all accounts and resources in your organization, following the guidance under Security Groups for Your VPC in the Amazon VPC User Guide.
For information on the security group rules options, see Security Group Rules Reference.
You are now ready to go to Step 3: Creating and applying a common security group policy.
Step 3: Creating and applying a common security group policy
After completing the prerequisites, you create an AWS Firewall Manager common security group policy. A common security group policy provides a centrally controlled security group for your entire AWS organization. It also defines the AWS accounts and resources that the security group applies to. In addition to common security group policies, Firewall Manager supports content audit security group policies, to manage the security group rules in use in your organization, and usage audit security group policies, to manage unused and redundant security groups. For more information, see Using security group policies in Firewall Manager to manage Amazon VPC security groups.
For this tutorial, you create a common security group policy and set its action to not automatically remediate. This allows you to see what effect the policy would have without making changes to your AWS organization.
To create a Firewall Manager common security group policy (console)
-
Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2
. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites. Note
For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.
-
In the navigation pane, choose Security policies.
-
If you have not met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a common security group policy.
-
Choose Create policy.
-
For Policy type, choose Security group.
-
For Security group policy type, choose Common security groups.
-
For Region, choose an AWS Region.
-
Choose Next.
-
For Policy name, enter a descriptive name.
-
Policy rules allow you to choose how the security groups in this policy are applied and maintained. For this tutorial, leave the options unchecked.
-
Choose Add primary security group, select the security group that you created for this tutorial, and choose Add security group.
-
For Policy action, choose Identify resources that don’t comply with the policy rules, but don’t auto remediate.
-
Choose Next.
-
AWS accounts affected by this policy allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose Include all accounts under my organization.
-
For Resource type, choose one or more types, according to the resources you have defined for your AWS organization.
-
For Resources, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags, see Working with Tag Editor.
If you enter more than one tag, a resource must have all of the tags to be included or excluded.
Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value.
-
Choose Next.
-
For Policy tags, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see Working with Tag Editor.
-
Choose Next.
-
Review the new policy settings and return to any pages where you need to any adjustments.
Check to be sure that Policy actions is set to Identify resources that don’t comply with the policy rules, but don’t auto remediate. This allows you to review the changes that your policy would make before you enable them.
-
When you are satisfied with the policy, choose Create policy.
In the AWS Firewall Manager policies pane, your policy should be listed. It will probably indicate Pending under the accounts headings and it will indicate the status of the Automatic remediation setting. The creation of a policy can take several minutes. After the Pending status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see Viewing compliance information for an AWS Firewall Manager policy
-
When you are finished exploring, if you don't want to keep the policy you created for this tutorial, choose the policy name, choose Delete, choose Clean up resources created by this policy., and finally choose Delete.
For more information about Firewall Manager security group policies, see Using security group policies in Firewall Manager to manage Amazon VPC security groups.