Automatically secure your web applications company-wide with AWS Firewall Manager

‍

‍

Managing access control lists for a large and, more importantly, growing number of web applications in your organization can be a daunting task. With AWS Firewall Manager, you have one central point to configure and manage all your Web Application Firewall (WAF) deployments. So you can

•    Establish base rates that follow best practice

•    Manage your deployments as code

•    make them automatically available for all newly added resources

•    Enforce compliance for all managed accounts

•    leave room for the creation of individual rules for specific applications if required

•    but skip the mandatory rules

In this article, we will look at when AWS Firewall Manager should be used, how to create a basic rule set and what a sample deployment looks like.

‍

Is AWS Firewall Manager right for me?

The service is best suited if you manage a large number of applications across multiple accounts. It allows you to enforce the use of a basic set of rules for all resources under its protection, while development teams can add their own rules if required.

This centralized management also gives you a holistic view of the threats targeting your applications as the logs are collected in a single place. This allows you to create insightful dashboards for your team to respond to security threats or optimize the rule sets deployed.

In short, if you feel that your organization has reached a size where implementing a centralized core rule set with associated centralized logging is necessary, it may be worthwhile to try AWS Firewall Manager.

To use AWS Firewall Manager, you must at least activate AWS Organizations and set up an AWS Firewall Manager account and activate AWS Config.

How do you create a basic rule set?

This topic is obviously too vast to adequately cover in the scope of this article, but I would like to give you some basic guidelines to make the whole endeavor less daunting.

If you already operate a WAF, you can simply use the rules that you currently use and that work for your applications and your data traffic.

Another approach would be to start with your classic static rules such as a BlockList and AllowList. Then take a look at the AWS Managed Rules and build the rest of your rule set on top of that. Select some rule groups from the base rule groups, add some application specific rules such as the SQL Database Management rule group, IP Reputation rule groups and the AWS WAF Bot Control rule group. This gives you a pretty good start.

After you have defined the first iteration of your base ruleset, you should deploy it in counting mode on a resource to be protected (in addition to all other protections and with higher priority) to monitor the behavior of your ruleset. Is it overblocking? Is malicious traffic being allowed through? Use this information to refine your ruleset.

The Firewall Manager can provide its rules as managed pre- or post-rules. The former are applied before the development team's custom rules, the latter after the custom rules. In this way, you can force certain rules to always be applied before they are skipped by a custom rule created by the development teams.

Example of use

This overview is intended to give you a rough example of how you can manage and deploy the AWS Firewall Manager.

Use a central repository to configure and maintain the Firewall Manager:

•    Here you define the guidelines and rule groups

•    You can add additional assessts, such as IP sets and lambdas

•    Here you can also compare which policies belong to which account.

From your repository, the code can be deployed to your Firewall Manager management account. The Firewall Manager then protects the resources you have defined under its umbrella.

It can be set up to send all logs to a central S3 bucket in a logging account. This allows you to enrich the logs to create even more insightful dashbaords.

Multi-layer protection

Building an all-encompassing defense can be complicated and complex. Because AWS Firewall Manager gives you control over the entire data flow, you can enforce policies at every point in the chain where they are needed. This allows you to break down the complexity into manageable pieces that are deployed on each line of defense. An additional benefit is that you are well below the WCU limits of AWS and don't have to make manual requests every time you want to protect a new resource.

Next steps

You've now learned how AWS Firewall Manager can help you manage WAF security and compliance for a growing number of applications. Next time, we'll look at an alternative way to create a basic Firewall Manager setup that you can manage from a single .json file using CDK and the Firewall Factory open source project. With this tool, you can create a working Firewall Manager installation, including a core ruleset or a ruleset based on the OWASP Top 10, a basic logging solution and a capacity check, right out of the box.

We are here to help

If you want to use AWS Firewall Manager to protect your own workloads and need help getting started, feel free to contact us. We'll help you get your own setup up and running and create a basic rule set.