AWS Firewall Manager is a tool from Amazon Web Services that an organization can use to configure policies for the cloud vendor's native web application firewall (WAF) service.
AWS Firewall Manager assembles and enforces AWS WAF rules, which can be administered across accounts and applications. The service can extend rules across multiple AWS accounts through its integration with AWS Organizations, another AWS policy management tool. In addition, through its integration with Application Load Balancers and Amazon CloudFront, AWS Firewall Manager ensures any new user or application automatically operates under set guidelines and policies. An admin can apply policies across an entire infrastructure, but the service also has the flexibility to limit policies to a single user, a group of users, or to specific applications.
Using AWS Firewall Manager
Firewall Manager can be used by enterprises that work in heavily regulated industries, such as healthcare or finance, and have to comply with national and/or international codes for data privacy. It's also intended for organizations that need to centrally manage policies for workloads and users that span multiple regions.
Additionally, the service integrates with Managed Rules for AWS WAF to guard applications against the latest common vulnerabilities. A developer can use AWS Firewall Manager to conduct automatic patches and protect against threats to web apps and APIs. Integrations with other AWS security tools enable AWS Firewall Manager to send alerts so a user can respond to potential attacks as they occur.
A developer can access AWS Firewall Manager through the AWS Management Console and it is only available for use with AWS accounts and applications. An administrator account must be established with access to all features within AWS Organizations. The administrator also must enable AWS Config for all member accounts and each applicable region. If a developer wants to use AWS Firewall Manager to protect CloudFront infrastructure, CloudFront must be hosted in the U.S. East 1 region.
The service also has default limits on the number of policies and accounts it can manage, though an organization can request increases on some of those restrictions. However, that organization cannot exceed 10 rules per group, or a 2:1 ratio of rule groups to policies.
AWS Firewall Manager Pricing
For AWS Shield Advanced customers, AWS Firewall Manager is included in the cost as of November 2018, though they will be charged for any related AWS Config rules they create. AWS Shield Standard and AWS WAF customers are charged $100 per policy per region, in addition to any ancillary charges incurred from AWS Config and AWS WAF WebACLS or Rules.