AWS Firewall Manager
A security management service that centrally applies and manages WAF, Shield Advanced, Security Group, and Network Firewall rules across multiple accounts and resources under Organizations
Overview
AWS Firewall Manager works with AWS Organizations to centrally manage firewall rules across multiple AWS accounts. It defines WAF rules, Shield Advanced protections, VPC security groups, Network Firewall policies, and Route 53 Resolver DNS Firewall rules as security policies, automatically applying them to designated OUs and accounts. When new accounts or resources are added, policies are automatically applied, ensuring consistent security.
Security Policy Types and Scope of Application
Firewall Manager offers six types of security policies, selected based on the resource type being protected. WAF policies bulk-apply WAF rule groups to CloudFront distributions, ALBs, API Gateway, and AppSync. Use them to enforce common WAF rules (SQL injection protection, rate limiting) across all ALBs in all accounts. Shield Advanced policies apply DDoS protection to EC2, ELB, CloudFront, Global Accelerator, and Route 53. Security group policies manage VPC security groups, with the ability to detect and auto-remediate unnecessary inbound rules. Network Firewall policies auto-deploy Network Firewall to VPCs and apply stateful traffic inspection rules. DNS Firewall policies apply DNS filtering rules to Route 53 Resolver, blocking DNS queries to malicious domains. Each policy's scope can be specified at the Organizations OU level, account level, or resource tag level, with exclusion rules also configurable.
Centralized WAF Rule Management and Auto-Remediation
Firewall Manager's most common use case is centralized WAF rule management. When the security team defines a WAF policy in Firewall Manager, Web ACLs are automatically created and associated with target resources in target accounts. Policies specify "first rule groups" and "last rule groups," and each account's administrators can add account-specific rules in between. This enforces an organization-wide security baseline (OWASP Top 10 protection, bot mitigation, rate limiting) while leaving room for per-account customization. With auto-remediation enabled, non-compliant resources (such as ALBs without WAF associations) are automatically remediated. When new ALBs are created, Firewall Manager detects them and automatically associates WAF. The compliance dashboard provides an at-a-glance view of policy compliance status across all accounts, making it easy to identify and address non-compliant resources.
Prerequisites and Cost Structure
Firewall Manager has three prerequisites for deployment. First, AWS Organizations must be enabled with all features activated. Second, a Firewall Manager administrator account must be designated (typically the security account). Third, AWS Config must be enabled in target accounts (required for Firewall Manager to evaluate resource compliance). The cost structure includes Firewall Manager's own policy fee (100 USD per policy per month) plus charges for resources each policy creates (WAF Web ACLs, Network Firewall endpoints, etc.). For a WAF policy, the total cost is Firewall Manager's 100 USD + each account's Web ACL fee (5 USD/month) + rule fees + request fees. Applying a WAF policy across 10 accounts costs roughly 200-300 USD per month: Firewall Manager 100 USD + Web ACLs 50 USD + rule and request charges. For organizations with fewer than 5 accounts, configuring WAF individually in each account may be more cost-effective.