ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b40abbcd473a7093d8261e212e3d6de97c1e516a
nexus/wiki/concepts/AWS-Firewall-Manager.md

74 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "AWS Firewall Manager"
type: concept
tags:
- AWS
- Security
- Multi-Account
- Firewall
- Compliance
sources:
- ctp-topic-55-aws-firewall-manager
last_updated: 2026-04-14
---
## Definition
AWS Firewall Manager 是 AWS 提供的集中化管理服务用于在组织级别Organization跨账户和跨应用程序统一配置防火墙规则和安全策略。它提供了一个合规仪表板视图支持 WAF、Network Firewall、Shield Advanced 和安全组Security Group四种策略类型的统一管理。
## Core Capabilities
### 1. Centralized Policy Management
- 在单一账户Firewall Manager Admin Account中定义策略自动分发到目标账户或 OU
- 支持跨多个 Landing Zone如 RLABS、R&D、SAS、CAT的统一纳管
- Firewall Manager 账户独立于任何单一 Landing Zone
### 2. Security Group Policy Types
- **Common Security Group Policy**:附加基线安全组,允许产品团队在其上继续添加额外规则
- **Audit & Enforcement Security Group Policy**:拒绝过度宽松的安全组规则,支持手动修复或自动修复
- **Cleanup Security Group Policy**:清理未使用的冗余安全组
### 3. Automatic Remediation
- 依赖 AWS Config 作为合规评估引擎,检测不合规资源
- 通过 AWS Lambda 触发修复事件,自动执行策略
- 新建 EC2 实例自动附加基线安全组,删除策略自动从实例剥离安全组
### 4. Cross-Account Rule Distribution
- 通过 Prefix List 定义 CIDR 范围
- 通过 AWS RAMResource Access Manager跨账户共享 Prefix List实现规则同步更新
## Prerequisites
- 需要在组织Organization级别启用 Firewall Manager
- Firewall Manager 管理员必须在目标 OU 内拥有管理员权限
- 所有目标账户必须启用 AWS Config
## Use Cases
- 多 Landing Zone 环境下的安全基线统一实施
- 替代 Checkpoint Firewall 无法覆盖的公网子网流量管控
- 集中化 WAF 规则管理,支持产品团队在基线规则上叠加自定义规则集
## Architecture Pattern
```
Firewall Manager Admin Account
├── Security Group Policy Definition
│ ├── Target: Account / OU
│ └── Baseline Security Group
├── AWS Config (Compliance Engine)
└── AWS Lambda (Remediation Trigger)
↓ (RAM: Prefix List Sharing)
Target Accounts
└── EC2 Instances (Auto-attached)
```
## Related Concepts
- [[AWS Config]]:合规评估引擎
- [[AWS Lambda]]:自动化修复执行
- [[Security Group Policy]]:策略类型分类
- [[AWS-Landing-Zone]]:上层基础设施框架
- [[Terraform]] + [[Terragrunt]]IaC 自动化部署
## Tooling
- Terraform provider for Firewall Manager
- Terragrunt for Landing Zone multi-account orchestration
- Atlantis CI/CD pipeline for automated policy deployment
Reference in New Issue View Git Blame Copy Permalink