« Back to News

Centrally manage your AWS WAF rules setup

In the previous blog, we shared how you can secure your web applications, portals and API’s with the help of AWS WAS and AWS Shield. In this blog, we will illustrate how you can configure the newly launched AWS Firewall Manager.

This year, on April the 4th, Amazon launched a new product. AWS Firewall Manager, a service which can be used to configuring and managing AWS WAF rules centrally and still use those rules across multiple accounts and regions.

The Firewall Manager helps us in rolling out the AWS WAF changes across ELBs and CloudFront distributions in multiple accounts which are covered by AWS Organizations. For e.g., we can configure “Block-certain-IP-ranges” or “allow-geographical-location” rule in the main account and then roll out these changes to all other WAFs configured in AWS accounts for Dev, Test, Staging, Customer 1-n, etc.

You must be wondering what is the benefit we get because of this new service

  • Centrally manage the rules at one place
  • Rapid response to newly discovered attacks.
  • Compliance – all WAFs have the same set of tested/ verified rules and configurations
  • Different applications/ services can be protected easily now with less hassle of redoing the steps

Before illustrating steps to configuring your Firewall Manager, let’s take a look at how the AWS WAF Manager works in an ideal scenario.

Source: Amazon AWS

In the above illustration, AWS WAF is used with AWS Lambda to block requests from

specific IP addresses.

How to configure Firewall Manager

Prerequisite

  1. AWS account should be covered under AWS Organizations
  2. AWS account should be set as ‘AWS Firewall Manager administrator’
  1. AWS Config should be enabled for all accounts under AWS Organizations

Setup Steps

Most of the steps are similar to what we do in AWS WAF setup

Create Rule Group

  • A rule group is nothing but WAF rule sets
  • We can create our own custom rule group or use available rule group in AWS marketplace

Create Policy

  • In policy, we need to specify that what resources we need to protect with rule group policy

More options

Choose whether you want to add existing groups to policy or create new groups and choose the region

Name your policy and set/ add rule groups

Scope

Define the scope of your policy – basically what is covered by this (ELBs or Cloudfront distributions) and whether you want to apply to all existing resources or not.

Review and confirm

A final confirmation is needed.

This will take a few minutes to complete and after that, you will be shown a status screen that shows all the resources where Policy was applied.

This is part II of the series of blogs on AWS’ application security offerings and how you can use them to secure your applications. In the next blog, we will test the validity and performance of the setup we discussed in part I on Web Application Security using AWS WAF andAWS Shield. Stay tuned.

Leave a Reply

About the Writer

  • Farida Pathan

    Farida Pathan is a DevOps engineer with a diversified background in DevOps, automation, scripting, etc. She has a deep interest in helping customers using Cloud, Containers, Orchestration which motivates her to solve a complex problem using simpler and effective solutions.

How Can Synerzip Help You?

By partnering with Synerzip, clients rapidly scale their engineering team, decrease time to market and save at least 50 percent with our Agile development teams in India.