Professional Documents
Culture Documents
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
Learning Objectives
Demo
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Learning Objectives
• Learn how you can use Firewall Manager to centrally audit VPC security
groups
• Learn how you can audit using both pre-configured and custom policies
for different use cases
• Learn how you can identify violations and enable different techniques to
remediate them
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Overview
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Firewall Manager supports WAF, Shield and VPC Security Groups
AWS
Security Hub
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Firewall Manager supports central management of
VPC security groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Firewall Manager supports central management of
VPC security groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Centrally Audit VPC Security
Groups using AWS Firewall
Manager
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is VPC Security Group
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges with Auditing Security Groups
• Application owners create their own security
groups, applications live across accounts in the
organization
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges with Auditing Security Groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges with Auditing Security Groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS Firewall Manager help
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS Firewall Manager help
Central management
of security groups
AWS Firewall Manager is
integrated with AWS
Organization for central
control
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Central Management of Security Groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS Firewall Manager help
Several options to
monitor existing
security group rules
Audit security groups
using pre-packaged or
custom guardrails
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Different Options to Audit VPC Security Groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS Firewall Manager help
Detect non-
compliance and
remediate
Discover resources and
continuously monitor for
misconfigured rules to avoid
drift
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detect non-compliance and remediate
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: Pre-requisites
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Firewall Manager Pre-requisites
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo Setup: Firewall Manager
EC2 instance #1
Admin - TestAccount13
EC2 instance #2
EC2 instance #3
EC2 instance #1
Member Account - TestAccount15
EC2 instance #2
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: Firewall Manager Policy Basics
Customer creates FMS Specify Policy Scope Create Policy and View Reports
Policy and Actions
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #1
Use Case: Audit security groups for overly permissive CIDR ranges
such as /0
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #2
Use Case: Audit for high-risk applications such as RDP and SSH
accessing the internet
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3
Use Case: Audit security groups to only allow ssh access from
corporate IP addresses
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #4
Use Case: Identify and clean up any unused security groups
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What have we learnt so far…
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing for Security Group Policy
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Region Availability
Available in 18 Regions
• US East (N. Virginia) Asia Pacific (Singapore)
• US East (Ohio) Asia Pacific (Sydney)
• US West (N. California) Asia Pacific (Tokyo)
• US West (Oregon) Asia Pacific (Seoul)
• EU (Ireland) Asia Pacific (Mumbai)
• EU (Paris) South America (São Paulo)
• EU (Frankfurt) Canada (Central)
• EU (London) Middle East (Bahrain)
• EU (Stockholm) Africa (Cape Town)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started Resources..
Documentation - https://docs.aws.amazon.com/firewall-manager/index.html
Jeff Barr Blog Post - https://aws.amazon.com/blogs/aws/aws-firewall-manager-
update-support-for-vpc-security-groups/
AWS Security Blog - https://aws.amazon.com/blogs/security/use-aws-firewall-
manager-vpc-security-groups-to-protect-applications-hosted-on-ec2-instances/
AWS Firewall Manager Website - https://aws.amazon.com/firewall-manager/
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
We welcome your feedback. Please share your
thoughts on social media
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.