74 lines
4.5 KiB
Markdown
74 lines
4.5 KiB
Markdown
---
|
|
title: CTP Topic 55 AWS Firewall Manager
|
|
type: cloud-learning
|
|
source-type: video
|
|
category: DevOps & SRE/07_Security
|
|
tags:
|
|
- AWS
|
|
- Firewall-Manager
|
|
- Security
|
|
- CTP
|
|
date-added: 2026-04-14
|
|
video-source: nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 55_ AWS Firewall Manager.mp4
|
|
audio-source: ""
|
|
status: summarized (Gemini 摘要)
|
|
---
|
|
|
|
# CTP Topic 55 AWS Firewall Manager
|
|
|
|
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 55_ AWS Firewall Manager.mp4`
|
|
|
|
**Type:** VIDEO | **Category:** 07_Security
|
|
|
|
**Status:** 🟡 Awaiting Whisper transcription → Summary
|
|
|
|
---
|
|
|
|
## 摘要
|
|
|
|
> ## AWS Firewall Manager
|
|
|
|
AWS Firewall Manager is a management service to centrally configure firewall rules and security rules across accounts and applications within organizations. It provides a dashboard view of compliant and non-compliant resources, with options for auto-remediation. It offers features for WAF, network firewall, and AWS Shield, with a focus on managing security groups.
|
|
|
|
The primary reasons for adopting Firewall Manager in Grand Torque Landing Zone are to address the challenges of managing security policies across multiple landing zones (RLABS, R&D, SAS, CAT) with varying security requirements. Initially, LAPS Landing Zone used Checkpoint Firewall with wide-open security group rules. However, the production SAS Landing Zone, which serves external customers via public subnets, necessitated additional security rules to protect against traffic not scanned by Checkpoint. *We have gone through these policies and we come up with some baseline security groups.*
|
|
|
|
The rollout process involves creating security group policies in the Firewall Manager account, specifying the target accounts or OUs, and applying the baseline security groups to existing and new instances. This approach centralizes management, reduces the time spent rolling out security policies, and addresses issues related to shared services like QALIS, which scans instances in product accounts. Firewall Manager uses AWS Config and Lambda to trigger events and enforce policies.
|
|
|
|
There are three types of firewall security policies:
|
|
* **Common security groups:** Attaches baseline security groups while allowing product teams to add their own.
|
|
* **Audit and enforcement security group rules:** Denies over-permissive rules, offering options for manual action or auto-remediation.
|
|
* A third type cleans up unused redundant security groups.
|
|
|
|
Prerequisites for setting up Firewall Manager include administrator access within the OU and AWS Config enabled in all accounts. Security groups are created in specific VPCs and regions, and prefix lists are used to easily share and update rules across accounts using RAM (Resource Access Manager). *RAM is like it's a tool available within this AWS where you can specify or you can share your AWS resources to any other account that you wanted to specify.*
|
|
|
|
The Firewall Manager account is separate and not tied to any specific landing zone, enabling cross-landing zone deployment. A pipeline, such as the Atlantis server in the digital factory landing zone, is used to deploy changes to the Firewall Manager. The service manages security policies and can be used across different landing zones. The prefix list facilitates sharing security group rules.
|
|
|
|
For SAS landing zone accounts, all security groups will be applied as baseline security groups. Two security groups will be created in the policy: one for common shared prefix lists and another for allowing shared account CIDR to reach instances. Before rollout, product teams will be engaged to address any concerns.
|
|
|
|
Firewall Manager can also manage WAF rules, allowing for baseline rules to be rolled out from the Firewall Manager while letting product teams add additional rule sets.
|
|
|
|
A demo was conducted to show the creation of a common security group policy via Terraform and TerraGrant code, demonstrating how it attaches to EC2 instances automatically. The demo involved creating a security policy in the Firewall Manager account and associating it with a playground production account. The policy included a rule allowing SSH traffic. The security group was automatically attached to an existing EC2 server in the playground account. A new EC2 instance was created, and the security group was automatically attached to it as well. Deleting the policy in the Firewall Manager account automatically removed the security group from the instances.
|
|
|
|
|
|
---
|
|
|
|
## 关键概念
|
|
|
|
-
|
|
|
|
---
|
|
|
|
## 行动项
|
|
|
|
-
|
|
|
|
---
|
|
|
|
## 相关视频
|
|
|
|
> 配对视频笔记链接(生成后填入)
|
|
|
|
---
|
|
|
|
*最后更新: 2026-04-14*
|