AWS Firewall Manager¶

What Is This Service?¶

AWS Firewall Manager (FMS) is a centralized security management service that deploys and enforces security policies across AWS Organizations accounts and resources.

Mental model:
Central security control plane that automatically attaches and maintains protection services across an AWS organization.

It does not inspect traffic itself.

Why It Matters for Security¶

Security teams struggle with:

inconsistent protections
manual onboarding
policy drift
decentralized ownership

Firewall Manager solves this through centralized governance.

Security outcomes:

enforce organization-wide protections
reduce misconfiguration risk
automate security onboarding
standardize incident posture
maintain compliance continuously

MOST TESTED

Firewall Manager = policy orchestration
Underlying services = actual enforcement

Architecture Example¶

flowchart TB

Org[AWS Organizations]

subgraph SecurityOU[Security OU]

Admin[Delegated Admin Account<br/>Firewall Manager]

end

subgraph ProdOU[Production OU]

Prod1[Prod Account]
Prod2[Prod Account]

end

subgraph DevOU[Development OU]

Dev1[Dev Account]

end

Org --> SecurityOU
Org --> ProdOU
Org --> DevOU

Admin --> FMS[Firewall Manager Policies]

FMS --> Config[AWS Config Inventory]

Config --> Prod1
Config --> Prod2
Config --> Dev1

FMS --> WAF[AWS WAF Policies]
FMS --> Shield[Shield Advanced Policies]
FMS --> SG[Security Group Policies]
FMS --> NFW[Network Firewall Policies]
FMS --> DNSFW[DNS Firewall Policies]

WAF --> Prod1
Shield --> Prod1
SG --> Prod2
NFW --> Dev1
DNSFW --> Dev1

Architecture Notes¶

Control plane: - AWS Organizations - Delegated administrator account - Firewall Manager - AWS Config

Data plane: - WAF request evaluation - Shield DDoS mitigation - Security Group enforcement - Network Firewall inspection - DNS Firewall filtering

Flow: 1. Organization defines account boundaries 2. Delegated admin owns Firewall Manager 3. Firewall Manager discovers resources via Config 4. Policies deploy into member accounts 5. Enforcement happens locally inside each account

Exam mental model:
Organizations → Firewall Manager → Security Service → Resource

Workflow(s)¶

Central Policy Deployment¶

sequenceDiagram

participant Sec as Security Team
participant FMS as Firewall Manager
participant Org as Organizations
participant Config as AWS Config
participant Service as Security Service
participant Account as Member Account

Sec->>FMS: Create policy

FMS->>Org: Discover accounts

FMS->>Config: Discover resources

Config->>Account: Inventory

FMS->>Service: Apply protection

Service->>Account: Enforce

Account->>Config: Resource changes

Config->>FMS: Compliance evaluation

FMS->>Service: Remediate drift

New Account Auto-Onboarding¶

sequenceDiagram

participant Org
participant FMS
participant Account
participant Resource

Org->>FMS: Account enters OU

Account->>Resource: Deploy workload

FMS->>Resource: Apply security controls

Resource->>FMS: Compliance state

Core Concepts¶

Firewall Manager Policy¶

Central object containing:

scope
target resources
protection type
remediation rules
cleanup behavior

Policy dimensions:

Component	Meaning
Accounts/OUs	who receives protection
Resource Type	what gets protected
Security Service	enforcement layer
Remediation	auto-fix or detect
Cleanup	remove protection if excluded

Delegated Administrator¶

Single account designated for Firewall Manager.

Requirements:

AWS Organizations enabled
trusted access enabled
AWS Config enabled

Security benefit:

centralized ownership without using management account.

Policy Scope¶

Can target:

organization
OU
account
resource tags

Exam pattern:

Different environments → separate OU policies.

Resource Discovery¶

Firewall Manager depends on:

AWS Config
organization membership
regional inventory

No Config → incomplete enforcement.

MASSIVE EXAM TRAP

Important Integrations¶

Service	Purpose
IAM	administration
Organizations	account governance
AWS Config	discovery/compliance
AWS WAF	L7 filtering
Shield Advanced	DDoS protection
Network Firewall	traffic inspection
Route 53 Resolver DNS Firewall	DNS filtering
Security Hub	findings
EventBridge	automation
Control Tower	landing zones
CloudFormation	deployment

Security Features¶

AWS WAF Policies¶

Centralized:

managed rules
custom rules
rate limits
logging

Supported:

CloudFront
ALB
API Gateway
AppSync
Cognito

Why:

prevent application teams bypassing baseline protections.

Shield Advanced Policies¶

Centralized:

DDoS enrollment
incident visibility
attack readiness

Important:

Firewall Manager cannot mitigate attacks.

Shield performs mitigation.

Security Group Policies¶

Types:

Common Security Groups¶

Replicate baseline SGs.

Use: - mandatory ingress - shared controls

Audit Security Groups¶

Detect violations.

Examples:

SSH open to internet
unrestricted RDP

No automatic modification.

Content Audit¶

Validate SG rule contents.

Usage Audit¶

Detect unused SGs.

Cleanup Policies¶

Remove stale SGs.

MOST TESTED

Network Firewall Policies¶

Deploy:

stateful rules
stateless rules
TLS inspection
centralized network controls

Packet processing occurs in Network Firewall.

Route 53 Resolver DNS Firewall¶

Deploy:

allow lists
block lists
DNS threat controls

Security outcome:

reduce malware C2 and exfiltration.

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Plane	Responsibility
Control	policy orchestration
Data	packet/request filtering

Control plane outage:

cannot deploy updates
existing protections continue

Drift Detection¶

Detects:

detached WAF
SG changes
missing protections

Modes:

monitor only
auto-remediation

Exam scenario:

security team wants visibility before enforcement.

Multi-Region Behavior¶

Firewall Manager is regional.

Managed services differ:

Service	Scope
WAF CloudFront	Global
WAF Regional	Regional
Shield Advanced	Global
SG Policy	Regional
DNS Firewall	Regional
Network Firewall	Regional

Exam trap

Global service ≠ global Firewall Manager policy.

Cross-Account Enforcement¶

Delegated Admin
    ↓
Firewall Manager
    ↓
Security Service
    ↓
Member Account

Trust boundaries:

policies pushed centrally
enforcement remains local

Firewall Manager never processes application payloads.

Organization Governance Pattern¶

Security Account
      ↓
Firewall Manager
      ↓
All OUs
      ↓
Auto-Enforced Controls

Benefits:

separation of duties
scalable governance

Quotas and Scale¶

Operational constraints:

policies per region
Config evaluation volume
account count
protected resource count

Large organizations may experience delayed compliance.

Cost Considerations¶

Costs include:

Firewall Manager
WAF
Shield Advanced
Network Firewall
AWS Config
logging

Cost trap:

Firewall Manager does not replace underlying pricing.

DR / HA Behavior¶

Firewall Manager is not inline.

If unavailable:

protections remain
enforcement continues
new changes pause

No traffic impact.

Comparisons¶

Service	Difference
Firewall Manager	policy orchestration
AWS WAF	request filtering
Shield Advanced	DDoS mitigation
Network Firewall	network inspection
Security Groups	instance filtering
Security Hub	findings
Config	evaluation
Control Tower	account governance

Common Exam Traps¶

Firewall Manager does not inspect traffic.
AWS Config is required.
Organizations is mandatory.
Shield Advanced required for DDoS policies.
Regional behavior differs by managed service.
Existing protections survive control plane outages.
Audit mode ≠ enforcement.
Cleanup can unintentionally remove protections.
Costs remain in underlying services.
New accounts inherit policies automatically.
Security Hub and Firewall Manager are unrelated.
WAF enforcement remains inside WAF.

5-Second Recall¶

Centralized security governance
Requires Organizations + Config
Delegated administrator model
Deploys WAF / Shield / SG / DNS FW / Network FW
Control plane only
Detect → enforce → remediate

Quick Revision Notes¶

Firewall Manager = organization security orchestrator
Underlying services enforce controls
Config powers discovery
New accounts auto-protected
Security Groups governance heavily tested
Shield Advanced integration appears frequently
Cleanup behavior can remove protections
Regional vs global scope is an exam favorite
Think: Security guardrails at organization scale