Solving with AWS Solutions: AWS Firewall Manager Automations for AWS Organizations

Aug 16, 2023

Solving with AWS Solutions: AWS Firewall Manager Automations for AWS Organizations

Centrally configure, manage, and audit firewall rules across all of your AWS accounts and resources in AWS Organizations. This reference implementation automates the process to set up AWS Firewall Manager security policies. Solution link: https://aws.amazon.com/solutions/impl…
AWS Solutions: https://aws.amazon.com/solutions/
More AWS videos: http://bit.ly/2O3zS75
More AWS events videos: http://bit.ly/316g9t4

Subscribe:
More AWS videos - http://bit.ly/2O3zS75
More AWS events videos - http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers — including the fastest-growing startups, largest enterprises, and leading government agencies — are using AWS to lower costs, become more agile, and innovate faster.

#AWS #AmazonWebServices #CloudComputing

Content

13.343 -> Welcome to Solving

14.377 -> with AWS Solutions.

15.712 -> Your deep dive into reference

17.113 -> architectures built by AWS that

18.982 -> are ready to deploy instantly

20.416 -> in the cloud.

21.317 -> I'm Ashley, and today I'm

22.752 -> joined by Lilat to tell us

23.987 -> about the AWS Firewall Manager

25.922 -> Automations for

26.99 -> AWS organisation solution.

29.359 -> Customers often find it

30.36 -> difficult and time-consuming to

31.894 -> have a consistent security

33.029 -> posture across their

34.097 -> AWS organisation.

35.865 -> This solution is great for

37 -> customers looking to

37.767 -> standardize security while

38.935 -> making it easy to get started

40.37 -> with AWS Firewall Manager.

42.538 -> Awesome.

43.272 -> Let's take a look.

45.108 -> All right Lilat.

45.775 -> Show me how we get started.

47.477 -> Sure.

48.845 -> The great place to start is

49.946 -> the landing page.

51.08 -> You're provided

51.648 -> an implementation guide,

52.882 -> basic information about the

54.083 -> solution and the

56.219 -> architecture diagram, which we

57.22 -> will dive deep into.

58.721 -> You can also look at the

59.589 -> source code, if you

60.356 -> would like.

62.392 -> Great, so you mentioned the

63.893 -> architecture diagram, can we

65.094 -> look at that?

66.229 -> Let me walk you through that.

67.73 -> So if you are a first time

69.065 -> Firewall Manager user,

70.733 -> we provide you a prerequisite

73.002 -> template that will help you set

74.837 -> up a dedicated admin for your

76.472 -> Firewall Manager service.

79.142 -> The resources that you see here

80.843 -> are going to be deployed by

81.844 -> the primary stack.

83.546 -> Nothing really changes in your

84.681 -> environment until you identify

86.816 -> and provide a list of

88.251 -> organizational units or

90.053 -> specific regions, or if you

91.521 -> want to provide a certain tag

93.589 -> values to us.

95.058 -> Once you enter the organization

96.659 -> unit into the parameter store,

99.662 -> the change will be captured by

101.297 -> the EventBridge rule,

102.298 -> which will invoke

102.999 -> the Lambda function.

104.033 -> This Lambda function here is

105.268 -> going to get the default policy

108.471 -> from the S3 bucket and going to

111.34 -> make Firewall Manager API calls

113.443 -> to deploy the security policies

114.844 -> for you, as well as store the

116.479 -> metadata into DynamoDB table.

119.015 -> OK, I'm looking at the

119.882 -> compliance

120.45 -> report generator here.

121.484 -> It looks like this solution

122.485 -> creates a time based event and

124.253 -> then invokes the Lambda

126.089 -> function and creates the

127.423 -> compliance report and

128.391 -> stored in S3.

129.358 -> That's correct.

130.393 -> Wonderful.

131.16 -> All right.

131.861 -> So let's

132.428 -> talk about customization.

133.596 -> You know, for organizations,

134.697 -> it's essential to be able to

135.731 -> make this work for

136.432 -> their needs.

137.133 -> Show me how we can

138.034 -> customize these policies.

139.535 -> Sure let me walk you through

141.671 -> where we stored

142.505 -> the default policy.

143.773 -> So here's the S3 bucket where

145.408 -> we stored the manifest file.

147.91 -> Let me switch to

148.878 -> the default policy.

151.08 -> So here you can see that there

153.015 -> are six or seven kinds of

154.417 -> security policies that

155.318 -> you can deploy.

156.185 -> You can modify them.

157.253 -> You can modify any properties.

158.554 -> And if you want to just remove

159.856 -> one specific security

161.724 -> policy type, you can just get

163.459 -> rid of that and that will that

165.628 -> will update your

166.429 -> security policy posture.

168.831 -> Let me take you to the

169.632 -> parameter store and

170.867 -> systems manager console.

173.436 -> This is where we have

174.937 -> provided the OUs.

177.406 -> If you wish to delete the

178.541 -> security policies, you can just

180.576 -> replace these values with the

182.378 -> keyword delete, and all the

184.447 -> policies will be

185.047 -> deleted for you.

186.349 -> If you wish to deploy security

188.384 -> policies to

188.951 -> very specific regions, you can

190.553 -> also provide a list of regions

191.854 -> here as well.

193.589 -> In the Firewall Manager console

195.758 -> here you can see the global

198.294 -> default policy was deployed

200.696 -> after we added

201.597 -> the organization unit.

203.065 -> After we added the regions,

205.501 -> we deployed the regional

207.136 -> security policies in the

208.538 -> specific regions that we have

210.606 -> entered in the

211.574 -> parameter store.

212.942 -> Let me walk you through one of

215.411 -> the security policies

216.212 -> for security groups.

217.68 -> Here you can see you can easily

219.081 -> identify what does this policy

220.85 -> do just by looking at

221.717 -> the policy detail.

223.186 -> We are monitoring if the

225.154 -> security group allow

226.322 -> an ALL protocol.

227.924 -> And yes, we have identified one

229.659 -> of those accounts where a

231.26 -> security group allows that and

233.329 -> it's easily it's very easy for

235.364 -> us to identify what what

237.166 -> security group is that?

238.234 -> And we can go and fix that.

241.304 -> We by default disable the

243.539 -> automatic remediation because

245.041 -> we don't want to

245.608 -> modify your environment.

247.376 -> So if you wish to enable it,

248.678 -> you can do so as well.

251.113 -> All right.

251.681 -> So if I want to apply this for

252.782 -> my business,

253.416 -> for my organization, what kind

254.917 -> of value does it have?

256.419 -> So the first thing it saves

257.486 -> you time, right?

258.454 -> And second, it automates the

259.522 -> deployment of your security

260.79 -> policies to protect your

262.325 -> web applications, block bad DNS

264.56 -> queries and audit

265.828 -> your security groups.

267.263 -> All right.

267.83 -> Saves time simplifies.

269.265 -> Sounds great.

269.966 -> Thanks so much for explaining

271.1 -> it to me.

271.734 -> You're welcome.

273.603 -> Well, there you have it.

274.604 -> The AWS Firewall Manager

276.239 -> Automations for

277.073 -> AWS Organizations Solution.

279.275 -> Visit the AWS website

280.81 -> to learn more.

281.744 -> Thanks for watching.

282.712 -> See you soon!

Source: https://www.youtube.com/watch?v=Vi998nzsujU