Managing Access Control Lists for a large and especially growing number of web applications in your company can be a daunting task. By using the AWS Firewall Manager you have one central point to configure and manage all your Web Application Firewall (WAF) deployments. This will allow you to

• create base rule sets that follow best-practices

• manage your deployments as code

• automatically deploy them for all newly added resources

• enforce compliance of all managed accounts

• leave room to create indivdual rules for specific applications, where needed

• but skip the mandatory ones

In this article we want to look at when to use AWS Firewall Manager, how to create a base rulse-set and what an example deployment will look like.

Is AWS Firewall Manager right for me?

The service is best used if you are managing a huge number of applications, over multiple accounts. It will allow you to enforce the use of a base ruleset for all resources under its protection, while allowing Development Teams to still add their own rules where needed.

This centralized management also allows you to gain a holistic view of the threats that are targeting your applications, by being the single point to gather your logs. This enables you to create insightful dashboards for your team to react to security threats or tweak their deployed rulesets.

In short, whenever you feel that you organization is at a size where the implementation of a centralized, core-ruleset with the accompanying central logging is needed, it may be worth checking out AWS Firewall Manager.

To use AWS Firewall Manager you need atleast to have AWS Organizations enabled and an AWS Firewall Manager Account set up, as well as AWS Config enabled.

How to create a base ruleset?

This topic is obviously to big to adequately to cover it in the space of this article, but I want to give you some basic guidelines to make the whole endavour less terrifying.

If you are already running a WAF, you can just go with the rules that you are currently using and that are working for your applications and traffic.

Another approach would be to start with your classic static rules like a BlockList and AllowList. Then take a look at the AWS Managed Rules building the rest of your ruleset from there. Pick a few rule groups from the baseline rule groups, add some use-case specific rules, like the SQL database managed rule group add IP reputation rule groups and the AWS WAF Bot Control rule group. With all that you are off to a pretty good start.

After defining the first iteration of your base ruleset you should deploy it in count mode on a resource you want to protect (in addtion to any other protection and in higher priority) to monitor the behavoir of your ruleset. Does it overblock? Is malicous traffic getting through? Use this info to refine your ruleset.

The Firewall Manager can deploy its rules as managed pre- or post-rules. The former will be applied before any of the custom rules from the development teams, the latter after the custom rules. This will allow you to enforce certain rules to always be applied before they might be skipped by a custom rule put in place by the development teams.

Example Deployment

This overview should give you a rough example how you can manage and deploy the AWS Firewall Manager.

Use a central repository to configure and persist you Firewall Manager:

• This is where you define the policies and rulegroups

• you can add addtional assessts, like IP Sets and Lambdas

• You can match which policies go into which account here as well

From your repository code can be deployed into your Firewall Manager Management Account. The Firewall Manager will then protect the resources under its umbrella as defined by you.

It can be set up to send all log into a central S3 Bucket in a logging account. This will allow you to enrich the logs to build even more insightful dashbaords.