Auto-sync: 2026-04-19 16:02
This commit is contained in:
69
wiki/sources/ctp-topic-55-aws-firewall-manager.md
Normal file
69
wiki/sources/ctp-topic-55-aws-firewall-manager.md
Normal file
@@ -0,0 +1,69 @@
|
||||
---
|
||||
id: ctp-topic-55-aws-firewall-manager
|
||||
title: "CTP Topic 55 AWS Firewall Manager"
|
||||
type: source
|
||||
tags:
|
||||
- AWS
|
||||
- Firewall-Manager
|
||||
- Security
|
||||
- CTP
|
||||
- Multi-Account
|
||||
- Security-Group
|
||||
sources:
|
||||
- raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/07_Security/ctp-topic-55-aws-firewall-manager.md
|
||||
last_updated: 2026-04-19
|
||||
---
|
||||
|
||||
## Source File
|
||||
|
||||
- [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/07_Security/ctp-topic-55-aws-firewall-manager.md]]
|
||||
|
||||
## Summary
|
||||
|
||||
- **核心主题**:AWS Firewall Manager 多账号安全策略集中管理
|
||||
- **问题域**:多 Landing Zone 环境下的跨账号防火墙策略统一配置与自动修复
|
||||
- **方法/机制**:Firewall Manager + AWS Config + Lambda 事件驱动策略执行
|
||||
- **结论/价值**:实现安全策略的中央化管理,减少安全策略推广时间,统一基线安全组
|
||||
|
||||
## Key Claims
|
||||
|
||||
- Firewall Manager 可跨多个 Landing Zone(RLabs、RD、SAS、CAT)集中管理安全策略
|
||||
- Firewall Manager 支持三种安全组策略类型:通用安全组、审计与强制、清理未使用安全组
|
||||
- 通过 Prefix List + RAM 实现跨账号安全组规则共享和更新
|
||||
- 使用 AWS Config + Lambda 触发事件并执行策略自动修复
|
||||
|
||||
## Key Quotes
|
||||
|
||||
> "The primary reasons for adopting Firewall Manager in Grand Torque Landing Zone are to address the challenges of managing security policies across multiple landing zones with varying security requirements."
|
||||
|
||||
> "SAS Landing Zone serves external customers via public subnets, necessitated additional security rules to protect against traffic not scanned by Checkpoint."
|
||||
|
||||
> "Prefix list facilitates sharing security group rules across accounts using RAM."
|
||||
|
||||
## Key Concepts
|
||||
|
||||
- [[AWS Firewall Manager]]:跨账号集中配置防火墙规则和安全策略的管理服务
|
||||
- [[AWS Config]]:AWS 配置审计与合规性服务,用于触发策略事件
|
||||
- [[Prefix List]]:预定义 CIDR 块集合,用于跨账号共享规则
|
||||
- [[RAM(Resource Access Manager)]]:AWS 资源访问管理工具,支持跨账号资源分享
|
||||
- [[Security Group]]:AWS VPC 安全组,控制入站和出站流量
|
||||
|
||||
## Key Entities
|
||||
|
||||
- [[Grand Torque Landing Zone]]:组织采用的多账号 Landing Zone 架构(RLabs、RD、SAS、CAT)
|
||||
- [[LAPS Landing Zone]]:早期使用 Checkpoint Firewall 的 Landing Zone
|
||||
- [[SAS Landing Zone]]:面向外部客户提供服务的 Landing Zone,需要额外安全规则
|
||||
- [[Digital Factory Landing Zone]]:部署 Atlantis 服务器用于发布 Firewall Manager 变更
|
||||
- [[QALIS]]:共享服务,扫描产品账户中的实例
|
||||
|
||||
## Connections
|
||||
|
||||
- [[AWS Firewall Manager]] ← managed_by ← [[AWS Config]]
|
||||
- [[AWS Firewall Manager]] ← uses ← [[RAM]]
|
||||
- [[Security Group]] ← shared_via ← [[Prefix List]]
|
||||
- [[SAS Landing Zone]] ← protected_by ← [[AWS Firewall Manager]]
|
||||
- [[LAPS Landing Zone]] ← previously_used ← [[Checkpoint Firewall]]
|
||||
|
||||
## Contradictions
|
||||
|
||||
- 与 [[Checkpoint Firewall]] 在 LAPS Landing Zone 中的广泛开放规则冲突:Firewall Manager 提供更细粒度的安全组控制
|
||||
Reference in New Issue
Block a user