Managing Access Control Lists for a large and especially growing number of web applications in your company can be a daunting task. By using the AWS Firewall Manager you have one central point to configure and manage all your Web Application Firewall (WAF) deployments. This will allow you to
create base rule sets that follow best-practices
manage your deployments as code
automatically deploy them for all newly added resources
enforce compliance of all managed accounts
leave room to create indivdual rules for specific applications, where needed
but skip the mandatory ones
In this article we want to look at when to use AWS Firewall Manager, how to create a base rulse-set and what an example deployment will look like.
Is AWS Firewall Manager right for me?
The service is best used if you are managing a huge number of applications, over multiple accounts. It will allow you to enforce the use of a base ruleset for all resources under its protection, while allowing Development Teams to still add their own rules where needed.
This centralized management also allows you to gain a holistic view of the threats that are targeting your applications, by being the single point to gather your logs. This enables you to create insightful dashboards for your team to react to security threats or tweak their deployed rulesets.
In short, whenever you feel that you organization is at a size where the implementation of a centralized, core-ruleset with the accompanying central logging is needed, it may be worth checking out AWS Firewall Manager.
How to create a base ruleset?
This topic is obviously to big to adequately to cover it in the space of this article, but I want to give you some basic guidelines to make the whole endavour less terrifying.
If you are already running a WAF, you can just go with the rules that you are currently using and that are working for your applications and traffic.
Another approach would be to start with your classic static rules like a BlockList and AllowList. Then take a look at the AWS Managed Rules building the rest of your ruleset from there. Pick a few rule groups from the baseline rule groups, add some use-case specific rules, like the
SQL database managed rule group add IP reputation rule groups and the AWS WAF Bot Control rule group. With all that you are off to a pretty good start.
After defining the first iteration of your base ruleset you should deploy it in count mode on a resource you want to protect (in addtion to any other protection and in higher priority) to monitor the behavoir of your ruleset. Does it overblock? Is malicous traffic getting through? Use this info to refine your ruleset.
The Firewall Manager can deploy its rules as managed pre- or post-rules. The former will be applied before any of the custom rules from the development teams, the latter after the custom rules. This will allow you to enforce certain rules to always be applied before they might be skipped by a custom rule put in place by the development teams.
This overview should give you a rough example how you can manage and deploy the AWS Firewall Manager.
Use a central repository to configure and persist you Firewall Manager:
This is where you define the policies and rulegroups
you can add addtional assessts, like IP Sets and Lambdas
You can match which policies go into which account here as well
From your repository code can be deployed into your Firewall Manager Management Account. The Firewall Manager will then protect the resources under its umbrella as defined by you.
It can be set up to send all log into a central S3 Bucket in a logging account. This will allow you to enrich the logs to build even more insightful dashbaords.
Structuring an all-encompassing defence can become convulted and complex. As using the AWS Firewall Manager puts you in control of the entire traffice flow, you can enforce policies on each point of the chain where thos policies are needed. This will help you breaking down the complexity into manageble chunks, deployed on each line of defence. As an additional benefit, this will help you stay well below AWS’ WCU limits, so you don’t have to send out manual requests everytime you want to protect a new resource.
Now you’ve learned how AWS Firewall Manager can help you manage WAF Security and compliance for a growing number of applications. Next time we are going to look at an alternative way to create a basic Firewall Manager Setup that you can manage from a singe .json file using CDK and the Firewall Factory open source project. Using this tool, you will be able to get a working Firewall Manager deployment, including a core rule set or one based on the OWASP Top 10, a basic logging solution and a capacity check straight out of the box.
We are here to help
If you want to use AWS Firewall Manager to protect your own workloads and need some help to get you started, feel free to contact us. We will help you getting your own setup off the ground and establish a basic ruleset.