AWS Firewall Manager: Centralized WAF, Shield, Security Group Management
Learn how to centrally manage WAF, Shield Advanced, and Security Groups across multiple accounts with AWS Firewall Manager.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
AWS Firewall Manager is a service that centrally creates, applies, and audits security rules for WAF, Shield Advanced, Security Groups, and more across multiple accounts and resources in AWS Organizations. Security policies are automatically applied when new accounts or resources are added.
Exam Tip
Exam Essential: "Multi-account security rules central management = Firewall Manager", Prerequisites: AWS Organizations + WAF enabled
What is Firewall Manager?
A management service that centrally creates, applies, and audits security rules across multiple AWS accounts.
┌─────────────────────────────────────────────┐
│ AWS Organizations │
│ │
│ ┌──────────────────────────────────────┐ │
│ │ Firewall Manager │ │
│ │ │ │
│ │ Security Policy Definition │ │
│ │ ├── WAF Policy │ │
│ │ ├── Shield Advanced Policy │ │
│ │ ├── Security Group Policy │ │
│ │ ├── Network Firewall Policy │ │
│ │ └── DNS Firewall Policy │ │
│ └──────────────────────────────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ [Account A] [Account B] [Account C] │
│ Auto-apply Auto-apply Auto-apply │
└─────────────────────────────────────────────┘
Prerequisites
| Requirement | Description |
|---|---|
| AWS Organizations | Required, all features enabled |
| Admin Account Designation | Set Firewall Manager admin account |
| AWS Config | Enable Config in all target accounts |
Managed Security Services
| Security Service | Firewall Manager Policy | Target Resources |
|---|---|---|
| AWS WAF | Bulk apply WAF rule groups | CloudFront, ALB, API Gateway |
| Shield Advanced | Auto-subscribe and protect | CloudFront, ALB, EC2, EIP |
| Security Group | Apply/audit common rules | EC2, ENI |
| Network Firewall | Deploy network firewall | VPC |
| Route 53 DNS Firewall | DNS filtering rules | VPC |
Policy Types in Detail
1. WAF Policy
Bulk apply WAF rules to CloudFront and ALB across multiple accounts.
Firewall Manager WAF Policy:
├── Managed rule groups (OWASP, Bot Control)
├── Rate-based rules
└── Scope: All ALBs across all accounts
→ Auto-applied to new ALBs in new accounts
2. Shield Advanced Policy
Automatically enable Shield Advanced protection on designated resources.
3. Security Group Policy
| Policy Type | Description |
|---|---|
| Common Security Group | Apply specified SG to all targets |
| Audit Security Group | Detect rule violations (excessive permissions, etc.) |
| Usage Audit | Detect unused/duplicate SGs |
4. Network Firewall Policy
Automatically deploy AWS Network Firewall to VPCs and apply firewall rules.
Firewall Manager vs Direct Management
| Aspect | Direct Management | Firewall Manager |
|---|---|---|
| Scope | Individual per-account setup | Organization-wide bulk apply |
| New Resources | Manual apply | Auto-apply |
| Compliance Check | Manual audit | Auto audit + alerts |
| Consistency | Hard to guarantee | Guaranteed |
| Cost | Service costs only | Additional cost per policy |
Exam Tip
Core Value: "When new accounts/resources are added, security policies are automatically applied."
Cost Structure
| Item | Cost |
|---|---|
| Security Policy | $100/policy/region/month |
| WAF Web ACL | Separate WAF charges apply |
| Shield Advanced | Separate Shield Advanced charges apply |
SAA-C03 Exam Focus Points
- ✅ When to Use: "Bulk manage WAF/Shield/SG across multiple accounts"
- ✅ Prerequisites: "Organizations + AWS Config required"
- ✅ Auto-Apply: "Security policies auto-apply to new resources"
- ✅ vs Direct WAF Setup: "Single account = direct WAF, Multi-account = Firewall Manager"
- ✅ Security Group Audit: "Detect excessive permission rules"
Exam Tip
Sample Exam Question: "Apply the same WAF rules to all ALBs across 50 accounts, and auto-apply when new accounts are added." → Answer: AWS Firewall Manager WAF Policy
Frequently Asked Questions (FAQ)
Q: Can I apply WAF to multiple accounts without Firewall Manager?
Technically possible with individual setup per account, but maintaining consistency is difficult and auto-apply to new resources isn't possible. Firewall Manager is recommended for multi-account environments.
Q: Which account configures Firewall Manager?
Designate a Firewall Manager admin account from the Organizations management account. Best practice is to designate a dedicated security account as admin.
Q: Can I exclude specific accounts or OUs from policies?
Yes. You can include/exclude specific accounts or OUs in the policy scope. For example, exclude Sandbox OU and apply only to Production OU.
Q: What's the relationship between Firewall Manager and AWS Config?
Firewall Manager uses AWS Config to detect resource changes and evaluate policy compliance. Therefore, Config must be enabled in target accounts.
Q: What's the difference between Network Firewall and WAF?
WAF inspects L7 (HTTP/HTTPS) web traffic, while Network Firewall inspects all network traffic at L3/L4 (TCP, UDP, ICMP, etc.). They serve different purposes and using both is best practice.