2020 0828-SID Slide-Deck

How to centrally audit and remediate
VPC security groups using AWS

Firewall Manager
Adhish Bhobe, Senior Product Manager, AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
 Learning Objectives
 Intro to AWS Firewall Manager
 Deep Dive: Audit VPC Security Groups using Firewall Manager
 Demo
 Getting started resources
Learning Objectives
• Learn how you can use Firewall Manager to centrally audit VPC security
groups
• Learn how you can audit using both pre-configured and custom policies
for different use cases
• Learn how you can identify violations and enable different techniques to
remediate them
Service Overview
AWS Firewall Manager
AWS Firewall Manager is a security management

service to centrally configure and manage your
firewall policies across your accounts and applications
in your AWS Organization.
Firewall Manager supports WAF, Shield and VPC Security Groups
AWS
Security Hub
AWS WAF AWS WAF AWS Shield VPC Security

Classic Advanced Groups
Firewall Manager supports central management of
VPC security groups
Configure baseline Audit existing security

security groups groups
Firewall Manager supports central management of
VPC security groups
Audit existing security

groups
Centrally Audit VPC Security
Groups using AWS Firewall
Manager
What is VPC Security Group
Virtual firewall for your Allows you to enable Multiple security

VPC EC2 instance network traffic to and groups can be
from an EC2 resources assigned to a network
within a VPC interface
Challenges with Auditing Security Groups
• Application owners create their own security
groups, applications live across accounts in the
organization
• Important to audit rules created by application

owners
• Difficult to ensure consistency across applications
Distributed owners • Administrators want to…

for applications and  Set guard rails for valid or invalid security group
security groups rules
 Continuously monitor security groups to prevent
overly permissive rules
• Discovering new applications and

resources is an operational burden
• Application constantly change security
posture
• Administrators want to…
 Discover new resources as and
Constant changes,
when they are created
as new resources
are created  Consistently audit rules, provide
audit-ready infrastructure
• No single reporting dashboard for

detailed non-compliant events
• Lack of visibility in reporting non-
complaint events makes it is hard to
troubleshoot events
• Administrators want to…
Visibility into violations and
 Single reporting dashboard for
non-complaint events detailed non-compliant events
 Automatically remediate
misconfigured security group rules
How does AWS Firewall Manager help
Central management Several options to Detect non-

of security groups monitor existing compliance and
AWS Firewall Manager is security group rules remediate
integrated with AWS Audit security groups Discover resources and
Organization for central using pre-packaged or continuously monitor for
control custom guardrails misconfigured rules to avoid
drift
Central management
of security groups
AWS Firewall Manager is
integrated with AWS
Organization for central
control
Central Management of Security Groups
 Firewall Manager is integrated with AWS Organizations
 Designate an account as the Firewall Manager Administrator.
 Administrator can now easily manage security groups across their

organization from their account
Several options to
monitor existing
security group rules
Audit security groups
using pre-packaged or
custom guardrails
Different Options to Audit VPC Security Groups
Managed Audit Rules Custom Audit Rules

• Pre-configured audit checks to apply • Custom guardrails that specify what
across accounts and resources exact rules to allow or disallow
• Audit overly-permissive security group • Firewall Manager will compare the
rules by checking for overly permissive CIDR and its subset ranges, ports and
ports, protocols and CIDR ranges protocols and compare with each
• Audit for high-risk applications that are target security group
open to public and private CIDRs
• Audit for unused or duplicate security
groups
Detect non-
compliance and
remediate
Discover resources and
continuously monitor for
misconfigured rules to avoid
drift
Detect non-compliance and remediate
• Firewall Manager policies continuously

audit security groups across the
organization
• Administrators get detailed reports on

non-compliant security groups rules
and audit rule violations
• Optionally, policies can be set to

automatically remediate
Demo: Pre-requisites
Firewall Manager Pre-requisites
1. Enable AWS 2. Enable AWS 3. Designate an

Organizations Config on all account as
full feature accounts Firewall Manager
Admin
Demo Setup: Firewall Manager
EC2 instance #1
Admin - TestAccount13
EC2 instance #2
EC2 instance #3
Member Account - TestAccount14 EC2 instance #1
EC2 instance #1
Member Account - TestAccount15
EC2 instance #2
Demo: Firewall Manager Policy Basics
Customer creates FMS Specify Policy Scope Create Policy and View Reports
Policy and Actions
Specify the accounts Verify the scope and Save.

Create a new Policy included/excluded in this
policy. Firewall Manager
replicates the security
Optionally, use Tags to group across accounts,
Add the set of Security group rules specify the resources and starts monitoring the
you want to configure or audit rules included/excluded in the resources in scope
you want to monitor policy
Demo #1
Use Case: Audit security groups for overly permissive CIDR ranges
such as /0
Demo #2
Use Case: Audit for high-risk applications such as RDP and SSH
accessing the internet
Demo #3
Use Case: Audit security groups to only allow ssh access from
corporate IP addresses
Demo #4
Use Case: Identify and clean up any unused security groups
What have we learnt so far…
• Basics of Firewall Manager

• Different capabilities and features for auditing VPC
security groups
• Demo
AWS Firewall Manager Pricing for Security Group Policy
• Based on policy creation (region based)

• $100/policy/month/region
• Customers are charged separately for AWS Config usage based
on the service pricing
Region Availability
Available in 18 Regions
• US East (N. Virginia) Asia Pacific (Singapore)
• US East (Ohio) Asia Pacific (Sydney)
• US West (N. California) Asia Pacific (Tokyo)
• US West (Oregon) Asia Pacific (Seoul)
• EU (Ireland) Asia Pacific (Mumbai)
• EU (Paris) South America (São Paulo)
• EU (Frankfurt) Canada (Central)
• EU (London) Middle East (Bahrain)
• EU (Stockholm) Africa (Cape Town)
Getting Started Resources..
Documentation - https://docs.aws.amazon.com/firewall-manager/index.html
Jeff Barr Blog Post - https://aws.amazon.com/blogs/aws/aws-firewall-manager-
update-support-for-vpc-security-groups/
AWS Security Blog - https://aws.amazon.com/blogs/security/use-aws-firewall-
manager-vpc-security-groups-to-protect-applications-hosted-on-ec2-instances/
AWS Firewall Manager Website - https://aws.amazon.com/firewall-manager/
Thank you!
We welcome your feedback. Please share your
thoughts on social media

2020 0828-SID Slide-Deck

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2020 0828-SID Slide-Deck

Uploaded by

Copyright:

Available Formats

How to centrally audit and remediate

VPC security groups using AWS

Adhish Bhobe, Senior Product Manager, AWS

 Intro to AWS Firewall Manager

 Deep Dive: Audit VPC Security Groups using Firewall Manager

 Getting started resources

AWS Firewall Manager is a security management

AWS WAF AWS WAF AWS Shield VPC Security

Configure baseline Audit existing security

Audit existing security

Virtual firewall for your Allows you to enable Multiple security

• Important to audit rules created by application

• Difficult to ensure consistency across applications

Distributed owners • Administrators want to…

• Discovering new applications and

• No single reporting dashboard for

Central management Several options to Detect non-

 Firewall Manager is integrated with AWS Organizations

 Designate an account as the Firewall Manager Administrator.

 Administrator can now easily manage security groups across their

Managed Audit Rules Custom Audit Rules

• Firewall Manager policies continuously

• Administrators get detailed reports on

• Optionally, policies can be set to

1. Enable AWS 2. Enable AWS 3. Designate an

Member Account - TestAccount14 EC2 instance #1

Specify the accounts Verify the scope and Save.

• Basics of Firewall Manager

• Based on policy creation (region based)

You might also like