Profile Applicability:
Level 1
Description:
AWS Firewall Manager (FMS) is a security management service that allows you to centrally configure and manage firewall rules across multiple accounts within your AWS Organization. FMS policies are a set of rules used to configure AWS WAF, AWS Shield Advanced, and VPC security groups to ensure security across all applications, services, and accounts in an organization.
Ensuring that all FMS policies in an admin account are compliant means reviewing the firewall rules and configurations across all AWS accounts, ensuring that they adhere to organizational security standards, industry best practices, and compliance requirements.
Rationale:
Ensuring compliance with FMS policies in the admin account helps in:
Security Management: Helps to enforce security controls uniformly across multiple accounts within your AWS Organization.
Centralized Configuration: Ensures that firewall policies are consistent across all environments, preventing potential security gaps.
Regulatory Compliance: Helps meet security compliance frameworks and industry standards (e.g., SOC 2, PCI-DSS, HIPAA) by maintaining standardized security configurations.
Automated Management: Simplifies the management of firewall policies, reducing manual errors and improving security posture.
Impact:
Pros:
Unified Security Posture: Centralizes security policies to ensure consistent protection across all AWS accounts.
Compliance: Ensures that security policies comply with organizational and regulatory standards.
Ease of Management: Simplifies firewall rule configuration and ensures they are enforced uniformly across multiple accounts.
Risk Reduction: Reduces the risk of misconfigurations that could lead to potential security breaches.
Cons:
Complexity in Policy Design: Creating and managing policies across multiple accounts can be complex.
Management Overhead: Regular audits and updates to ensure compliance may require operational overhead.
Potential Impact on Services: Incorrect policy changes could disrupt services if not properly tested or applied.
Default Value:
By default, FMS policies may not be applied or could be misconfigured. It is necessary to explicitly create, configure, and apply FMS policies that meet security and compliance requirements.
Pre-requisite:
AWS IAM Permissions:
fms:ListPolicies
fms:DescribePolicy
fms:UpdatePolicy
fms:AssociateAdminAccount
fms:DeletePolicy
AWS CLI installed and configured.
Understanding of AWS WAF, AWS Shield Advanced, VPC security groups, and Firewall Manager policies.
AWS Organization should be set up with multiple AWS accounts under the admin account.
FMS policies should be enabled and applied to the desired accounts.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Firewall Manager under Services.
In the Firewall Manager Dashboard, check the Policy Compliance status.
Review each policy under the Policies section to ensure they are properly applied to the relevant accounts.
Ensure that the FMS policy is attached to the admin account and enforced across all other accounts.
Review individual policies for correctness (e.g., WAF rules, VPC security group rules, Shield Advanced settings).
If any policies are non-compliant, review the policy settings and apply any necessary changes.
Verify if any policies are incorrectly excluded or misapplied.
Using AWS CLI:
To list all FMS policies, run:
aws fms list-policies --query 'PolicyList[*].{ID:PolicyId,Name:PolicyName,Compliance:ComplianceStatus}'To describe the details of a specific policy, run:
aws fms describe-policy --policy-id <policy-id>
To check the compliance status for a specific policy, run:
aws fms get-compliance-detail --policy-id <policy-id> --resource-id <resource-id>
To update a policy to ensure compliance, run:
aws fms update-policy --policy-id <policy-id> --remediation-action <action-to-remediate>
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Firewall Manager.
Review FMS Policies:
In the Firewall Manager Dashboard, go to the Policies section to list all policies.
Check the policy compliance status for each policy and verify if it is applied correctly across all accounts.
Create or Modify Policies:
If necessary, create new FMS policies or modify existing policies to ensure they align with the desired security and compliance standards.
For WAF policies, verify if the appropriate rules are applied.
For VPC Security Groups, ensure that they are properly configured to prevent open access or unwanted traffic.
Apply or Update Policies to ensure they are in compliance across the AWS Organization.
Monitor the compliance status and ensure that any new non-compliance findings are addressed.
Using AWS CLI:
List existing policies and review compliance:
aws fms list-policies --query 'PolicyList[*].{ID:PolicyId,Name:PolicyName,Compliance:ComplianceStatus}'To describe a specific policy and ensure that it is compliant:
aws fms describe-policy --policy-id <policy-id>
Update any non-compliant policies:
aws fms update-policy --policy-id <policy-id> --remediation-action <action-to-remediate>
Ensure continuous compliance by enabling automated checks or scheduling regular audits for policy compliance.
Backout Plan:
If applying or modifying FMS policies causes issues (e.g., unwanted service disruptions or non-compliance alerts):
Identify the affected FMS policies and review the policy configuration.
Revert the changes to the policies using the following command:
aws fms update-policy --policy-id <policy-id> --remediation-action <previous-compliant-action>
If necessary, delete the non-compliant policy and restore the previous working configuration:
aws fms delete-policy --policy-id <policy-id>
Verify that the policy has been reverted and that compliance status returns to normal.
Note :
Automated Compliance: Consider enabling AWS Config rules to automatically check for FMS policy compliance across all your AWS accounts.
Monitoring: Set up CloudWatch Alarms or SNS notifications to alert the security team when a policy becomes non-compliant.