In the previous blog, we shared how you can secure your web applications, portals and API’s with the help of AWS WAS and AWS Shield. In this blog, we will illustrate how you can configure the newly launched AWS Firewall Manager.
This year, on April the 4th, Amazon launched a new product. AWS Firewall Manager, a service which can be used to configuring and managing AWS WAF rules centrally and still use those rules across multiple accounts and regions.
The Firewall Manager helps us in rolling out the AWS WAF changes across ELBs and CloudFront distributions in multiple accounts which are covered by AWS Organizations. For e.g., we can configure “Block-certain-IP-ranges” or “allow-geographical-location” rule in the main account and then roll out these changes to all other WAFs configured in AWS accounts for Dev, Test, Staging, Customer 1-n, etc.
You must be wondering what is the benefit we get because of this new service
- Centrally manage the rules at one place
- Rapid response to newly discovered attacks.
- Compliance – all WAFs have the same set of tested/ verified rules and configurations
- Different applications/ services can be protected easily now with less hassle of redoing the steps
Before illustrating steps to configuring your Firewall Manager, let’s take a look at how the AWS WAF Manager works in an ideal scenario.
Source: Amazon AWS
In the above illustration, AWS WAF is used with AWS Lambda to block requests from
specific IP addresses.
How to configure Firewall Manager
- AWS account should be covered under AWS Organizations
- AWS account should be set as ‘AWS Firewall Manager administrator’
- AWS Config should be enabled for all accounts under AWS Organizations
Most of the steps are similar to what we do in AWS WAF setup
Create Rule Group
- A rule group is nothing but WAF rule sets
- We can create our own custom rule group or use available rule group in AWS marketplace
- In policy, we need to specify that what resources we need to protect with rule group policy
Choose whether you want to add existing groups to policy or create new groups and choose the region
Name your policy and set/ add rule groupsScope
Define the scope of your policy – basically what is covered by this (ELBs or Cloudfront distributions) and whether you want to apply to all existing resources or not.Review and confirm
A final confirmation is needed.This will take a few minutes to complete and after that, you will be shown a status screen that shows all the resources where Policy was applied.
This is part II of the series of blogs on AWS’ application security offerings and how you can use them to secure your applications. In the next blog, we will test the validity and performance of the setup we discussed in part I on Web Application Security using AWS WAF andAWS Shield. Stay tuned.