Auto-sync: update nexus workspace
This commit is contained in:
73
wiki/concepts/AWS-Firewall-Manager.md
Normal file
73
wiki/concepts/AWS-Firewall-Manager.md
Normal file
@@ -0,0 +1,73 @@
|
||||
---
|
||||
title: "AWS Firewall Manager"
|
||||
type: concept
|
||||
tags:
|
||||
- AWS
|
||||
- Security
|
||||
- Multi-Account
|
||||
- Firewall
|
||||
- Compliance
|
||||
sources:
|
||||
- ctp-topic-55-aws-firewall-manager
|
||||
last_updated: 2026-04-14
|
||||
---
|
||||
|
||||
## Definition
|
||||
|
||||
AWS Firewall Manager 是 AWS 提供的集中化管理服务,用于在组织级别(Organization)跨账户和跨应用程序统一配置防火墙规则和安全策略。它提供了一个合规仪表板视图,支持 WAF、Network Firewall、Shield Advanced 和安全组(Security Group)四种策略类型的统一管理。
|
||||
|
||||
## Core Capabilities
|
||||
|
||||
### 1. Centralized Policy Management
|
||||
- 在单一账户(Firewall Manager Admin Account)中定义策略,自动分发到目标账户或 OU
|
||||
- 支持跨多个 Landing Zone(如 RLABS、R&D、SAS、CAT)的统一纳管
|
||||
- Firewall Manager 账户独立于任何单一 Landing Zone
|
||||
|
||||
### 2. Security Group Policy Types
|
||||
- **Common Security Group Policy**:附加基线安全组,允许产品团队在其上继续添加额外规则
|
||||
- **Audit & Enforcement Security Group Policy**:拒绝过度宽松的安全组规则,支持手动修复或自动修复
|
||||
- **Cleanup Security Group Policy**:清理未使用的冗余安全组
|
||||
|
||||
### 3. Automatic Remediation
|
||||
- 依赖 AWS Config 作为合规评估引擎,检测不合规资源
|
||||
- 通过 AWS Lambda 触发修复事件,自动执行策略
|
||||
- 新建 EC2 实例自动附加基线安全组,删除策略自动从实例剥离安全组
|
||||
|
||||
### 4. Cross-Account Rule Distribution
|
||||
- 通过 Prefix List 定义 CIDR 范围
|
||||
- 通过 AWS RAM(Resource Access Manager)跨账户共享 Prefix List,实现规则同步更新
|
||||
|
||||
## Prerequisites
|
||||
- 需要在组织(Organization)级别启用 Firewall Manager
|
||||
- Firewall Manager 管理员必须在目标 OU 内拥有管理员权限
|
||||
- 所有目标账户必须启用 AWS Config
|
||||
|
||||
## Use Cases
|
||||
- 多 Landing Zone 环境下的安全基线统一实施
|
||||
- 替代 Checkpoint Firewall 无法覆盖的公网子网流量管控
|
||||
- 集中化 WAF 规则管理,支持产品团队在基线规则上叠加自定义规则集
|
||||
|
||||
## Architecture Pattern
|
||||
```
|
||||
Firewall Manager Admin Account
|
||||
├── Security Group Policy Definition
|
||||
│ ├── Target: Account / OU
|
||||
│ └── Baseline Security Group
|
||||
├── AWS Config (Compliance Engine)
|
||||
└── AWS Lambda (Remediation Trigger)
|
||||
↓ (RAM: Prefix List Sharing)
|
||||
Target Accounts
|
||||
└── EC2 Instances (Auto-attached)
|
||||
```
|
||||
|
||||
## Related Concepts
|
||||
- [[AWS Config]]:合规评估引擎
|
||||
- [[AWS Lambda]]:自动化修复执行
|
||||
- [[Security Group Policy]]:策略类型分类
|
||||
- [[AWS-Landing-Zone]]:上层基础设施框架
|
||||
- [[Terraform]] + [[Terragrunt]]:IaC 自动化部署
|
||||
|
||||
## Tooling
|
||||
- Terraform provider for Firewall Manager
|
||||
- Terragrunt for Landing Zone multi-account orchestration
|
||||
- Atlantis CI/CD pipeline for automated policy deployment
|
||||
Reference in New Issue
Block a user