The AWS Centralized WAF and VPC Security Group Management solution is intended for customers looking to easily manage consistent security posture across their entire AWS Organization. The solution uses AWS Firewall Manager Service.
Additionally, solution eases the installation process required to fulfill Firewall Manager prerequisites so customers can focus more on their organization security posture.
Note: For any relavant information outside the scope of this readme, please refer to the solution landing page and implementation guide.
🚀Solution Landing Page | 🚧Feature request | 🐛Bug Report | 📜Documentation Improvement
-
If you are already using Firewall Manager: FMSStack.template
-
If you are new to Firewall Manager: PreReqStack.template
-
If you want to create demo resources: Demo.template
- Firewall Admin: Provide the account-id to be used for Firewall Manager admin account. If you have already configured Firewall Manager admin, provide that account-id.
- Enable Config: Do you want to enable AWS Config across your Organization as part of pre requisite installation. You may chose 'No' if you already have Config enabled.
- Prerequisite: Node.js>10
Clone the repository and run the following commands to install dependencies, format and lint as per the project standards
npm i
npm run prettier-format
npm run lint
You may make any needed change as per your requirement. If you want to customize the Firewall Manager policy defaults, you can modify the manifest file.
Addtionally, you can customize the code and add any extensibity to the solution. Please review our feature request guidelines, if you want to submit a PR.
You can run unit tests with the following command from the root of the project
npm run test
You can build lambda binaries with the following command from the root of the project
npm run build
Run the following command from the root of the project
cd source/resources
npm i
The solution has 3 CDK Stacks
- Primary FMS Stack: this stack deploys all the primary solution components needed to manage Firewall Manager security policies. Deploy in Firewall Manager Admin Account
cdk synth FMSStack
cdk deploy FMSStack --profile <PROFILE_NAME>
- Prerequisite Stack: this stack can be used to fulfill solution prerequisites. Deploy in Organizations Master Account
cdk synth PreReqStack
cdk deploy PreReqStack --parameters FMSAdmin=<ACCOUNT_ID> --parameters EnableConfig=<Yes|No> --profile <PROFILE_NAME>
- Demo Stack: this stack can be used to provision minimal resources for demo purposes. You may deploy this stack in any account. Deploy in us-east-1 only
cdk synth DemoStack
cdk deploy DemoStack --profile <PROFILE_NAME>
Note: for PROFILE_NAME, substitute the name of an AWS CLI profile that contains appropriate credentials for deploying in your preferred region.
The default deployment uses opinionated values as setup in policy manifest file. In this scenario let's say we want to update the global WAF policies default and turn-off the auto-remediation behavior. We can make the change as seen below and turn remediationEnabled to false.
"policyName": "FMS-WAF-01",
"policyScope": "Global",
"resourceType": "AWS::CloudFront::Distribution",
"remediationEnabled": false,
Additionally, if you want to control sending solution usage metrics to aws-solutions, you can refer to solution manifest file.
"solutionVersion": "%%VERSION%%", #provide a valid value eg. v1.0
"sendMetric": "Yes",
AWS Centralized WAF & Security Group Management solution consists of:
- cdk constructs to generate needed resources
- prereq manager to validate and install Firewall Manager prerequisites
- policy manager to install FMS security policies
- metrics manager to publish metrics to aws-solutions
|-deployment/
|build-scripts/ [ build scripts ]
|-source/
|-resources
|-bin/
|-app.ts [ entry point for CDK app ]
|-__tests__/ [ unit tests for CDK constructs ]
|-lib/
|-fms.ts [ CDK construct for FMS stack and related resources ]
|-iam.ts [ CDK construct for iam resources]
|-prereq.ts [ CDK construct for Prerequisite stack and related resources ]
|-manifest.json [ manifest file for CDK resources ]
|-config_files [ tsconfig, jest.config.js, package.json etc. ]
|-services/
|-helper/ [ lambda backed helper custom resource to help with solution launch/update/delete ]
|-policyManager/ [ microservice to manage FMS security policies ]
|-__tests/ [ unit tests for all policy managers ]
|-lib/
|-clientConfig.json [ config for AWS service clients ]
|-manifest.json [ manifest file for FMS policy configurations ]
|-wafManager.ts [ class for WAF policy CRUD operations]
|-shieldManager.ts [ class for Shield policy CRUD operations]
|-securitygroupManager.ts [ class for Security Group policy CRUD operations]
|-fmsHelper.ts [ helper functions for FMS policy]
|-policyManager.ts [ entry point to process FMS policies]
|-index.ts [ entry point for lambda function]
|-config_files [ tsconfig, jest.config.js, package.json etc. ]
|-preReqManager
|-__tests/ [ unit tests for pre req manager ]
|-lib/
|-clientConfig.json [ config for AWS service clients ]
|-preReqManager.ts [ class for FMS pre-requisites validaion and installation ]
|-index.ts [ entry point for lambda function]
|-config_files [ tsconfig, jest.config.js, package.json etc. ]
|-metricsManager
|-index.ts [ entry point for lambda function]
|-config_files
|-config_files [ eslint, prettier, tsconfig, jest.config.js, package.json etc. ]
See license here