AWS Security & Identity Services

AWS Firewall Manager

4 min read
Updated June 23, 2025
3,787 characters

Prerequisites: How to Get Started

Before you can use AWS Firewall Manager, you must have the following in place:

  1. AWS Organizations: Your accounts must be managed under AWS Organizations.

  2. Set Administrator Account: You must designate one member account as the AWS Firewall Manager administrator. This is the account from which you will create and manage all policies.

  3. Enable AWS Config: You must enable AWS Config for all member accounts you wish to manage. Firewall Manager uses AWS Config to detect newly created resources and to monitor for non-compliance with your policies.

How Firewall Manager Works

Firewall Manager operates on a policy-based model.

  • Create a Policy: In the administrator account, you create a security policy.

  • Define the Rule Set: Within the policy, you define the set of rules you want to enforce. This could be a specific AWS WAF rule group, a set of security group rules, or a configuration for AWS Network Firewall.

  • Define the Scope: You then specify the scope for the policy, determining which accounts, Organizational Units (OUs), or specific resources (by type or tag) the policy should apply to.

  • Automatic Application & Enforcement: Firewall Manager automatically applies the policy to all resources within the defined scope. It continuously monitors for new resources and non-compliant configurations, reporting any issues back to the administrator account.

Services Managed by Firewall Manager

Firewall Manager provides a single interface to manage the rules for several different AWS security services:

  • AWS WAF: Centrally create and manage Web ACLs and apply them to Application Load Balancers, Amazon API Gateways, and Amazon CloudFront distributions across your organization.

  • AWS Shield Advanced: Automatically apply advanced DDoS protection to resources like Elastic IP addresses, ELBs, and CloudFront distributions.

  • VPC Security Groups:

    • Auditing: Audit existing security groups for overly permissive rules (e.g., rules that allow unrestricted inbound access).

    • Enforcement: Push a common set of baseline security group rules to all network interfaces in your organization.

  • AWS Network Firewall: Centrally deploy and manage stateful firewall rule groups and policies across your VPCs to filter network traffic.

  • Amazon Route 53 Resolver DNS Firewall: Centrally manage DNS filtering rules to block queries to known malicious domains or allow queries only to specific domains.

Core Benefits

  • Centralized Management: Configure firewall rules once and deploy them across hundreds or thousands of accounts with a few clicks.

  • Improved Security Posture: Enforce a consistent security baseline, ensuring that all applications are protected and preventing security gaps.

  • Simplified Compliance: Easily audit and report on firewall compliance across your entire AWS Organization.

  • Scalability: Automatically applies policies to new accounts and resources as they are created, ensuring security keeps pace with your growth.

Pricing

Firewall Manager has a tiered pricing model:

  • For AWS Shield Advanced Customers:

    • The AWS Firewall Manager service is included at no additional charge.

    • You only pay for the AWS Config rules that Firewall Manager creates to monitor your resources.

  • For all other customers (AWS WAF Only or Shield Standard):

    • You pay a monthly fee per protection policy, per region.

    • You also pay the standard fees for the underlying resources that Firewall Manager creates and manages (e.g., AWS WAF WebACLs, AWS Network Firewall endpoints) and for the associated AWS Config rules.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All