66 lines
4.5 KiB
Markdown
66 lines
4.5 KiB
Markdown
---
|
||
title: "CTP Topic 55 AWS Firewall Manager"
|
||
type: source
|
||
tags:
|
||
- AWS
|
||
- Firewall-Manager
|
||
- Security
|
||
- CTP
|
||
date: 2026-04-14
|
||
---
|
||
|
||
## Source File
|
||
- [[Cloud & DevOps/Public-Cloud-Learning-Sessions/07_Security/ctp-topic-55-aws-firewall-manager]]
|
||
|
||
## Summary(用中文描述)
|
||
- 核心主题:AWS Firewall Manager 在多 Landing Zone 环境下的集中化安全策略管理
|
||
- 问题域:跨多个 Landing Zone(RLABS、R&D、SAS、CAT)统一管理和执行安全组规则
|
||
- 方法/机制:
|
||
- 三类安全策略:通用安全组(Common SG)、审计与强制执行(Audit & Enforcement SG)、冗余清理(Cleanup SG)
|
||
- 利用 AWS Config + Lambda 触发事件并强制执行策略
|
||
- 通过 RAM(Resource Access Manager)共享 Prefix List,实现跨账户规则分发
|
||
- Firewall Manager 账户独立部署,支持跨 Landing Zone 统一纳管
|
||
- 支持通过 Terraform + Terragrunt 自动化部署策略
|
||
- 结论/价值:将安全策略从各 Landing Zone 分散管理转变为集中管控,大幅降低策略推广时间,支持 WAF 规则统一管理
|
||
|
||
## Key Claims(用中文描述)
|
||
- Firewall Manager 通过 AWS Config + Lambda 机制自动检测并修复不合规资源,实现跨账户统一安全策略执行
|
||
- 三类安全组策略分别承担"附加基线"、"拒绝过度宽松规则"、"清理冗余"职责,形成完整的安全管控闭环
|
||
- Prefix List + RAM 组合实现安全规则在账户间的便捷共享与同步更新,无需手动逐账户配置
|
||
- Firewall Manager 账户独立于任何单一 Landing Zone,可同时纳管 RLABS、R&D、SAS、CAT 等多个环境
|
||
- SAS Landing Zone 账户的所有安全组均作为基线安全组应用,由 Firewall Manager 统一管控
|
||
|
||
## Key Quotes
|
||
> "Firewall Manager is a management service to centrally configure firewall rules and security rules across accounts and applications within organizations." — AWS Firewall Manager 核心定义
|
||
> "RAM is like it's a tool available within this AWS where you can specify or you can share your AWS resources to any other account that you wanted to specify." — Prefix List 通过 RAM 共享的机制说明
|
||
> "We have gone through these policies and we come up with some baseline security groups." — 多 Landing Zone 环境下的基线安全组制定背景
|
||
> "Deleting the policy in the Firewall Manager account automatically removed the security group from the instances." — 策略删除自动清理附着实例
|
||
|
||
## Key Concepts
|
||
- [[AWS Firewall Manager]]:AWS 集中化防火墙和安全规则管理服务,支持跨账户和跨应用程序的配置
|
||
- [[Security Group Policy]]:Firewall Manager 中的安全组策略,分为 Common、Audit & Enforcement、Cleanup 三种类型
|
||
- [[AWS Config]]:AWS 配置合规性评估服务,与 Firewall Manager 联动触发自动修复
|
||
- [[AWS Lambda]]:无服务器计算服务,在 Firewall Manager 中用于执行策略事件处理逻辑
|
||
- [[Prefix List]]:IP 前缀列表,用于定义 CIDR 范围,通过 RAM 在账户间共享安全规则
|
||
- [[Resource Access Manager (RAM)]]:AWS 资源分享服务,允许跨账户共享 VPC Prefix List 等资源
|
||
- [[Landing Zone]]:AWS 多账户环境的规范化基础设施架构,本文档涉及 RLABS、R&D、SAS、CAT 四个 Landing Zone
|
||
|
||
## Key Entities
|
||
- [[Grand Torque Landing Zone]]:整体 Landing Zone 架构,Firewall Manager 在此背景下被采用以应对多 Landing Zone 安全策略管理挑战
|
||
- [[LAPS Landing Zone]]:早期使用 Checkpoint Firewall 的 Landing Zone,安全组规则较为宽松
|
||
- [[SAS Landing Zone]]:面向外部客户的 Landing Zone,拥有公有子网,需要额外的安全规则保护
|
||
- [[Digital Factory Landing Zone]]:部署 Atlantis 服务器的 Landing Zone,通过 IaC pipeline 向 Firewall Manager 推送变更
|
||
- [[Atlantis Server]]:Digital Factory 中的 Terraform/Terragrunt 执行服务器,用于自动化部署 Firewall Manager 策略
|
||
- [[QALIS]]:共享服务,扫描产品账户中的实例
|
||
|
||
## Connections
|
||
- [[AWS Firewall Manager]] ← 管理 ← [[Security Group Policy]]
|
||
- [[Security Group Policy]] ← 触发执行 ← [[AWS Config]] + [[AWS Lambda]]
|
||
- [[Security Group Policy]] ← 规则分发 ← [[Prefix List]] + [[Resource Access Manager (RAM)]]
|
||
- [[AWS Firewall Manager]] ← 独立部署于 ← [[Digital Factory Landing Zone]]
|
||
- [[AWS Firewall Manager]] ← 纳管 ← [[LAPS Landing Zone]]、[[SAS Landing Zone]] 等多个 Landing Zone
|
||
- [[Terraform]] + [[Terragrunt]] ← 自动化部署 ← [[AWS Firewall Manager]] Policy
|
||
|
||
## Contradictions
|
||
- 暂无发现与其他 Wiki 页面的直接内容冲突
|