Más contenido relacionado La actualidad más candente (20) Similar a Introducing AWS Firewall Manager - AWS Online Tech Talks (20) Más de Amazon Web Services (20) Introducing AWS Firewall Manager - AWS Online Tech Talks1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager
Centrally configure and manage your firewall rules
across accounts and applications
Venkat Vijayaraghavan, Product Manager
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
Introduction to AWS
Firewall Manager
Getting Started
Demo
Intro 101
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web Application Threats
Application Vulnerabilities Bots & ScrapersHTTP Floods
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges Customers Face
Large Number of Accounts
and Resources
New applications created
all the time
Hard to manage security
policies centrally across all
Accounts and resources
Difficult to ensure that all
applications are consistently
protected on day 1
Central Organization-wide
Visibility into Threats
No single place to monitor and
respond to any threats across
the Organization
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager is a security management
tool to centrally configure and manage web application
firewall rules across all accounts and applications in
your Organization.
AWS Firewall Manager
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager
AWS WAF
Web application firewall to help
detect and block malicious web
requests targeted at your web
applications
AWS Firewall Manager
Easily configure AWS WAF rules
across all ALB or CloudFront
distributions in your Organization
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS WAF (Web Application Firewall)
Web traffic filtering with
custom rules & automations
Managed Rules to block
malicious request
Active monitoring
and tuning
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Benefits
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
Ensure Compliance to
Mandatory Rules Across
Organization
Simplify Management of
Rules Across Accounts &
Applications
Easily Deploy WAF Rules
from AWS Marketplace
Enable Rapid Response
to Internet Attacks
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
Integrated with AWS Organizations so you can
enable AWS WAF rules across multiple AWS
accounts.
Firewall Manager Policies can span across Accounts
and across resources.
Supports Hierarchical rules - Security administrator
can create organization-wide rules, while
delegating application-specific rules to individual
Account owners.
Simplify Firewall Rules Management Across Accounts & Resources
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
Ensure Compliance of Existing and New Applications
Ensure All your resources comply with a
mandatory set of security policies
Automatically discover new Accounts, or resources
like ALB or CloudFront distribution as they are
created
Easily block traffic from embargoed countries
across your Organization to adhere to the US
Dept. of Treasury’s Office of Foreign Assets
Control (OFAC) regulations
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
Integrated with Managed Rules for AWS WAF, an
easy way to deploy pre-configured WAF rules for
your applications
Consistently deploy a managed rule group from
any Marketplace vendor across your Organization
Easily deploy a OWASP top 10 rule group to protect
your PCI workloads or deploy a bad IP reputation
list to prevent bad actors from accessing your
applications
Easily Deploy WAF rules from AWS Marketplace
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
Security administrator have a single console to receive real-
time threats, and respond within minutes
Quickly apply CVE Patches across all applications in your
Organization, or block malicious IP addresses detected by
GuardDuty across entire Organization
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda
Function
AWS
Lambda
Firewall Manager
Enable Rapid Response to Internet Attacks
Account 2
Account 3
Account 1
AWS WAF
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Features
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Key Features
Integration with AWS Organization for cross-account protection policies
Continuous monitoring of policy drift, with automatic remediation of WAF rules
Multi-account resource groups, using specifiers like Resource type or Tagris Tags
Hierarchical rule enforcement; Globally mandated rules with customized local rules
Dashboard with compliance notifications for auditing
Receive notifications via SNS for non-compliance events
Central visibility of threats across the entire Organization
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical Use Cases
• Block traffic from embargoed countries to adhere to OFAC
regulations.
• Deploy an IP Reputation list across the organization to
automatically block traffic from known bad IP addresses
Mandatory Rules Across Organization
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical Use Cases
Deploy OWASP rules for PCI compliance
• PCI DSS 3.0 Requirement 6 suggests customers deploy a WAF, with rules
like OWASP top 10
• Subscribe to Managed Rules from AWS Marketplace
• Ensure the OWASP rule is applied across all PCI-tagged resources
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started & Demo
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Firewall Manager Pre-Requisites
1. Enable AWS
Organizations Full
Features
2. Enable AWS
Config Recorder
in All Accounts
3. Designate an
Account as Firewall
Manager Admin
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: Firewall Manager
DemoMaster Account
DemoSecurityAdmin Account
DemoMember Account
ALB1
ALB2
ALB1
ALB2
ALB1
ALB2
ALB3
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to get started?
Security Admin
creates RuleGroup
Subscribe to Managed Rules
from AWS Marketplace
OR
Create Custom RuleGroup
Specify Policy
Scope
Customer specifies the scope of
resources included in the policy.
Use Resource Type (Ex: ALB or
CloudFront) or Tags to choose
resources
Create Policy
Verify the scope and Save.
Creates the necessary AWS
WAF Rules, and also Config
rules for monitoring.
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
With AWS WAF / Shield Standard
ALL PUBLIC REGIONS
• $100 per policy per Region
GLOBAL (AMAZON CLOUDFRONT LOCATIONS)
• $100 per policy per Region.
AWS WAF
• WebACLs or Rules created by Firewall Manager -
See AWS WAF pricing
AWS Config rules created by Firewall Manager -
See AWS Config pricing
With AWS Shield Advanced
ALL PUBLIC REGIONS
• Included. No charge per policy per Region
GLOBAL (AMAZON CLOUDFRONT LOCATIONS)
• Included. No charge per policy per Region.
AWS WAF
• Included. No charge for AWS Shield Advanced.
AWS Config rules created by Firewall Manager -
See AWS Config pricing
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Region Availability
US East (Virginia)
US West (Oregon)
Global (All CloudFront edge locations)
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
www.aws.amazon.com/firewall-manager
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q: Why Does Firewall Manager Create Config Rules?
• Monitor changes in resource configurations.
• Know when new resources are created.
• Know when WAF rules are accidently deleted.
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Prerequisites
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
In the AWS
Organizations Console.
- AWS Organization
master needs to do this
Prerequisites
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Set in the AWS Firewall
Manager console.
- AWS Organization
master needs to do this.
Prerequisites
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Step 1:
Go to AWS WAF & Shield Console.
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Step 2:
Create RuleGroup
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Step 3:
Define Firewall Manager Policy
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Step 4:
Define Policy Exceptions
“ALL ALBs except those that are Tagged Dev”
33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
Step 5:
Review and create
34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Slides
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
As of 01/31/2018
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Using AWS Firewall Manager vs CloudFormation Stacksets
CloudFormation Stacksets
• Central configuration of distributed WAFs
• Rules owned by individual Accounts
• Account-specific visibility of threats
Firewall Manager
• Central configuration & management of
distribution WAFs
• Rules owned by security admin Account
• Central visibility of threats across Accounts
• Use AWS Firewall Manager when your Security Administrators want to write
WAF rules centrally and configure it across all Accounts, while getting visibility
centrally.
• Use CloudFormation StackSets when you want same WAF rules deployed
across Accounts
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are custom RuleGroups?
• RuleGroups are a collection of WAF Rules
• Customers can package a set of rules in a RuleGroup
• Customers add the RuleGroup to their WebACL (just like they add Rules)
• Default: 10 Rules per RuleGroup
• RuleGroups can be shared across Accounts. Rules are Account-specific
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
Pricing Example 1:
AWS Firewall Manager Policy in IAD with 1 Account
In this example, let’s assume you created a new protection policy in IAD for an Organization
that has 1 AWS Account. AWS Firewall Manager have created 2 AWS Config rules, one
AWS WAF Rule in single AWS WAF WebACL .
Back
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
# of AWS
Regions
Global
# of AWS
Accounts
# Units Unit Cost Total
AWS Firewall Manager Policy in IAD 1 N/A 1 $100 $100
AWS Config rule N/A 1 2 $2 $4
AWS WAF WebACL N/A 1 1 $5 $5
WAF Rule per month N/A 1 1 $1 $1
Total $ / Month $110
Pricing Example 1:
Back
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
Pricing Example 2:
AWS Firewall Manager Policy in Global (CloudFront) with 7 Accounts
In this example, let’s assume you created a new protection policy for Global (for
CloudFront) for an Organization that has 7 AWS Accounts.
AWS Firewall Manager created 2 AWS Config rules in each AWS Account.
1 AWS WAF WebACL and WAF Rule in each AWS Account.
Back
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
# of AWS
Regions
Global
# of AWS
Accounts
# Units Unit Cost Total
AWS Firewall Manager Policy in
Global (CloudFront)
1 N/A 1 $100 $100
AWS Config rule N/A 7 2 $2 $28
AWS WAF WebACL N/A 7 1 $5 $35
WAF Rule per month N/A 7 1 $1 $7
Total $ / Month $170
Pricing Example 2:
Back
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
Pricing Example 3:
AWS Firewall Manager Policies in IAD & Global (CloudFront) with 10 Accounts
In this example, let’s assume you created a new protection policies for IAD & Global
(CloudFront) for an Organization that has 10 AWS Accounts.
AWS Firewall Manager created 2 AWS Config rules in each AWS Account.
1 AWS WAF WebACL and WAF Rule in each AWS Account.
Back
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Pricing
# of AWS
Regions
Global
# of AWS
Accounts
# Units Unit Cost Total
AWS Firewall Manager Policy in
Global (CloudFront)
2 N/A 1 $100 $200
AWS Config rule N/A 10 2 $2 $40
AWS WAF WebACL N/A 10 1 $5 $50
WAF Rule per month N/A 10 1 $1 $10
Total $ / Month $300
Pricing Example 3:
Back