AWS Firewall Manager
- AWS Firewall Manager is a security management service that simplifies administration and maintenance tasks across multiple accounts and resources for a variety of protections.
- Firewall Manager enables centrally configuring and managing firewall rules across accounts and applications in an AWS Organization.
- With Firewall Manager, protections are set up once and the service automatically applies them across accounts and resources, even as new accounts and resources are added.
- Firewall Manager is particularly useful when protecting an entire organization rather than a small number of specific accounts, or when frequently adding new resources that need protection.
- Firewall Manager provides centralized monitoring of DDoS attacks across the organization.
- A Firewall Manager administrator account (delegated from the Organizations management account) manages all policies centrally.
AWS Firewall Manager Key Features
- Centralized Security Policy Management
- Create and enforce security policies across all accounts in an AWS Organization from a single administrator account.
- Policies are applied automatically to existing resources and to new resources as they are created.
- Supports hierarchical rule enforcement — centrally applied rules are constantly monitored for accidental removal or mishandling.
- Auto-Remediation of Non-Compliant Resources
- Automatically bring non-compliant resources into compliance by deploying protections (e.g., creating WAF Web ACLs, associating security groups, deploying Network Firewall endpoints).
- Can be configured to either auto-remediate or notify only, allowing a phased rollout.
- Best practice is to start without auto-remediation to identify resources requiring manual handling, then enable auto-remediation when confidence is established.
- Cross-Account Protection Policies
- Integrated with AWS Organizations to automatically discover all accounts.
- Policies can be scoped to all accounts or specific OUs and accounts.
- New in-scope accounts that join the organization are automatically protected.
- Compliance Dashboard with Notifications
- Visual dashboard to quickly view protected AWS resources, identify non-compliant resources, and take action.
- SNS notification streams for configuration changes.
- Reports non-compliant issues including VPCs and accounts missing protections.
- Hierarchical Rule Enforcement
- Allows applying protection policies hierarchically — centrally mandated rules can be enforced while delegating application-specific rule creation to individual accounts.
- For WAF policies, first and last rule groups are enforced centrally, while account owners can add rules in between.
- Third-Party Firewall Support
- Centrally deploy and monitor AWS Marketplace subscribed third-party cloud firewalls (e.g., Palo Alto Networks Cloud NGFW, Fortinet) across all VPCs in the organization.
- Automates cross-account deployment of firewalls, association of rules, and VPC route configuration.
AWS Firewall Manager Supported Policy Types
- Firewall Manager supports multiple types of protection policies, similar to how Amazon RDS supports multiple database engines.
AWS WAF Policy
- Centrally deploys AWS WAF Web ACLs with rule groups across Application Load Balancers, API Gateways, Amazon CloudFront distributions, AWS AppSync GraphQL APIs, Amazon Cognito user pools, AWS App Runner services, and AWS Verified Access instances.
- Defines first and last rule groups that are enforced centrally — individual accounts can add rules between them.
- Supports AWS Managed Rules and Marketplace managed rule groups.
- Automatically creates Web ACLs in member accounts and associates them with in-scope resources.
AWS Shield Advanced Policy
- Applies Shield Advanced protections across the organization for specified resource types.
- Protects Application Load Balancers, Classic Load Balancers, Elastic IP addresses, CloudFront distributions, and Global Accelerator accelerators.
- Automatically subscribes in-scope accounts to Shield Advanced.
- Associates empty WAF Web ACLs with resources for DDoS mitigation layer.
Amazon VPC Security Group Policy
- Three types of security group policies:
- Common security groups — Creates and applies a baseline security group across EC2 instances, ENIs, and Elastic Load Balancers in VPCs.
- Auditing security groups — Defines guardrails for what security group rules are allowed/disallowed, detects overly permissive rules.
- Usage auditing security groups — Identifies unused and redundant security groups for cleanup.
- Continuously monitors security groups for compliance and can auto-remediate violations.
Amazon VPC Network ACL (NACL) Policy
- Centrally manages VPC network access control lists across the organization (added April 2024).
- Defines first and last rules for inbound and outbound traffic — individual accounts can create custom rules in between.
- Enforces presence and ordering of rules in network ACLs within policy scope.
- Reports non-compliance for NACLs that don’t match the policy configuration.
AWS Network Firewall Policy
- Centrally deploys AWS Network Firewall endpoints across VPCs in the organization.
- Supports three deployment models:
- Distributed — Firewall endpoints deployed in each VPC within policy scope.
- Centralized — Single firewall in an inspection VPC.
- Import existing firewalls — Import existing Network Firewalls for centralized management.
- Automatically manages VPC route tables to route traffic through firewall endpoints.
- Changes to centrally configured rules are automatically deployed to all accounts and VPCs.
Amazon Route 53 Resolver DNS Firewall Policy
- Centrally associates VPCs with Route 53 Resolver DNS Firewall rule groups across the organization.
- Filters DNS queries to block resolution of known malicious domains.
- Supports shared domain lists for consistent DNS filtering across all accounts.
- Prevents DNS exfiltration and C2 communications.
Palo Alto Networks Cloud NGFW Policy (Third-Party)
- Centrally deploys Palo Alto Networks Cloud NGFW resources and rulestacks across all accounts.
- Supports both distributed and centralized deployment models.
- Provides advanced threat prevention capabilities including App-ID, URL filtering, DNS Security, WildFire, and Enterprise DLP.
- Managed through either AWS Firewall Manager native policy or Panorama Cloud Device Groups.
- Requires active Cloud NGFW subscription from AWS Marketplace.
Fortinet FortiGate Cloud Native Firewall Policy (Third-Party)
- Centrally deploys Fortinet FortiGate firewalls across VPCs using Firewall Manager.
- Available through AWS Marketplace subscription.
AWS Firewall Manager Prerequisites
- AWS Organizations
- Accounts must be part of an AWS Organization with all features enabled.
- Organization management account designates a Firewall Manager administrator (delegated administrator).
- AWS Config
- AWS Config must be enabled in all accounts and Regions where Firewall Manager policies will be applied.
- Config records resource configuration changes that Firewall Manager uses to track compliance.
- Firewall Manager creates Config rules automatically per policy per account to monitor compliance.
- Firewall Manager Administrator Account
- Must be a member account in the organization (or management account).
- Designated by the Organizations management account.
- Uses a delegated administrator model — can be the management account or a dedicated security account.
- Best practice: Use a dedicated security account (not the management account) as the Firewall Manager administrator.
- AWS WAF (for WAF policies)
- Must use AWS WAF (not WAF Classic) for new policies.
- Shield Advanced Subscription (for Shield policies)
- Required only if creating Shield Advanced policies.
- Shield Advanced subscription fee applies ($3,000/month per organization).
- Third-Party Marketplace Subscriptions (for third-party policies)
- Active subscription to the third-party firewall product in AWS Marketplace is required in all target accounts.
Policy Scope and Auto-Remediation
Policy Scope
- Firewall Manager policies can be scoped using:
- Account scope — Include all accounts in the organization, specific OUs, or specific accounts. Exclude specific accounts or OUs.
- Resource type — Target specific resource types (e.g., ALBs, CloudFront distributions, EC2 instances).
- Resource tags — Include or exclude resources based on tags. Supports both inclusion and exclusion tag lists.
- Specifying an OU is equivalent to specifying all accounts in that OU and any child OUs, including accounts added later.
- Best practice: Exclude the Firewall Manager administrator account from security group policies.
Auto-Remediation
- When enabled, Firewall Manager automatically applies protections to non-compliant resources:
- WAF policies — Creates Web ACLs and associates them with unprotected resources.
- Shield policies — Enables Shield Advanced protection and associates empty Web ACLs.
- Security group policies — Creates and applies security groups, removes non-compliant rules.
- Network Firewall policies — Creates firewall endpoints and configures VPC route tables.
- DNS Firewall policies — Associates rule groups with VPCs.
- NACL policies — Updates network ACLs to match policy rules.
- When disabled, Firewall Manager reports non-compliance but does not make changes — useful for monitoring mode.
- Recommended approach: Start with auto-remediation disabled to identify resources requiring manual handling, then enable it when confident in the policy scope.
Integration with AWS Security Hub
- Firewall Manager integrates natively with AWS Security Hub to send compliance findings.
- Findings are generated for:
- Resources that are out of compliance with Firewall Manager policies.
- Attacks detected by Shield Advanced.
- Resources missing expected protections.
- Security Hub aggregates findings across accounts and Regions for centralized visibility.
- Enables SOC teams to track and respond to compliance drift from a single pane of glass.
- Supports automated remediation workflows when combined with Security Hub custom actions and EventBridge.
- Integration can be enabled/disabled from the Security Hub console under Integrations.
Cross-Account Management
- Firewall Manager uses the delegated administrator model for cross-account management.
- The Firewall Manager administrator can:
- Create and apply policies across all member accounts.
- View compliance status of all accounts.
- Monitor DDoS events across the organization.
- Manage WAF rule groups that are shared across accounts.
- Individual account owners can:
- Add their own rules between centrally managed first and last rule groups (WAF policies).
- View compliance status for their own resources.
- Cannot remove or modify centrally enforced rules.
- Firewall Manager uses AWS Organizations service-linked roles to deploy resources in member accounts.
- Multiple Firewall Manager administrators can be designated with different administrative scopes.
Firewall Manager vs Individual Service Management vs Control Tower Guardrails
| Feature | Individual Service Management | AWS Firewall Manager | AWS Control Tower Guardrails |
|---|---|---|---|
| Scope | Single account, manual per-account setup | Multi-account via Organizations, centralized policies | Multi-account governance and compliance controls |
| Primary Purpose | Configure individual firewall/security resources | Centralized firewall policy deployment and enforcement | Account governance, SCPs, and compliance baselines |
| Auto-Remediation | Not built-in (requires custom automation) | Yes — automatically deploys protections to non-compliant resources | Preventive (SCPs block actions) and Detective (Config rules report violations) |
| New Account Handling | Manual configuration required | Automatic — policies applied to new accounts/resources immediately | Automatic via Account Factory and enrolled OUs |
| Policy Types | Depends on individual service (WAF rules, SGs, NACLs) | WAF, Shield, Security Groups, NACLs, Network Firewall, DNS Firewall, Third-party | SCPs, Config Rules (detective/proactive), CloudFormation Hooks |
| Focus Area | Network/application layer protection configuration | Network/application layer firewall policy enforcement at scale | Broad governance (IAM, logging, networking, data residency) |
| Compliance Monitoring | Must configure separately (Config, CloudWatch) | Built-in dashboard + Security Hub integration | Built-in Control Tower dashboard |
| Prerequisites | None beyond IAM permissions | Organizations (all features), AWS Config | Organizations, Control Tower landing zone |
| Cost | Only the underlying service charges | $100/policy/Region/month + underlying service charges | No additional charge (pays for underlying Config rules) |
| Best For | Small environments, single account, simple setups | Multi-account firewall/security policy enforcement at scale | Overall account governance, compliance frameworks, landing zone management |
| Complementary Use | Used alongside Firewall Manager as the underlying service | Works with Control Tower — Firewall Manager handles network security while Control Tower handles governance | Works with Firewall Manager — Control Tower handles governance while Firewall Manager handles firewall policies |
When to Use Which
- Individual Service Management — Single-account environments, proof of concepts, or when you need granular per-resource configuration without organizational overhead.
- AWS Firewall Manager — Multi-account environments requiring consistent firewall policies, automatic protection of new resources, and centralized compliance monitoring for network security.
- AWS Control Tower Guardrails — Broad organizational governance including IAM restrictions, logging requirements, data residency controls, and account baseline configurations.
- Firewall Manager + Control Tower (Together) — Best practice for enterprises: Control Tower manages account governance and baselines, while Firewall Manager enforces network security policies. They are complementary, not competing services.
AWS Firewall Manager Pricing
- Protection Policy Fee: $100 per policy per Region per month (prorated hourly).
- Shield Advanced customers: Firewall Manager policy fee is included at no additional charge (only pays for Config rules).
- AWS Config Rules: Firewall Manager creates 2 Config rules per policy per account — charged at standard Config pricing ($0.003/CI change + $0.001/rule evaluation).
- Underlying service charges: WAF Web ACLs/rules, Network Firewall endpoints, Shield Advanced, DNS Firewall queries, and third-party firewall charges apply separately.
- No minimum fees or upfront commitments — pay only for what is used.
- Note: Some Regions have per-policy prices greater than $100. Check the AWS pricing page for Region-specific pricing.
Pricing Example
- 1 WAF policy, 7 accounts, no Shield Advanced:
- Firewall Manager: $100/month
- WAF (7 Web ACLs + 7 rules): $42/month
- Config rules: ~$40/month
- Total: ~$182/month
- Same scenario WITH Shield Advanced:
- Firewall Manager: $0 (included with Shield Advanced)
- WAF: $0 (included with Shield Advanced)
- Config rules: ~$40/month
- Total: ~$40/month (plus Shield Advanced subscription of $3,000/month)
AWS Certification Exam Practice Questions
Questions are based on this topic for the AWS Certified Security – Specialty (SCS-C02) and AWS Certified Solutions Architect – Professional (SAP-C02) exams.
- A security team wants to enforce a standard set of AWS WAF rules across all accounts in an AWS Organization. The rules should be applied automatically to any new Application Load Balancer created in any account. Individual teams should be able to add their own additional WAF rules. What is the most operationally efficient approach?
- Create a WAF Web ACL in each account using AWS CloudFormation StackSets
- Use AWS Firewall Manager to create a WAF policy with first and last rule groups scoped to the entire organization
- Use AWS Control Tower to create a preventive guardrail that blocks ALBs without WAF
- Create a Lambda function triggered by CloudTrail to attach WAF rules to new ALBs
Show Answer
Answer: b – AWS Firewall Manager WAF policies support first and last rule groups that are centrally enforced while allowing account owners to add rules between them. It automatically applies to new resources including ALBs created in new accounts.
- A company uses AWS Organizations with 50 accounts across 3 Regions. The security architect needs to ensure all VPCs have AWS Network Firewall endpoints deployed with a standard inspection rule set. New VPCs should be protected automatically without manual intervention. What combination of services achieves this with the LEAST operational overhead?
- AWS CloudFormation StackSets with drift detection
- AWS Firewall Manager with a Network Firewall policy in distributed mode with auto-remediation enabled
- AWS Control Tower with a custom Config rule and Systems Manager remediation
- AWS Service Catalog with an approved Network Firewall product
Show Answer
Answer: b – Firewall Manager Network Firewall policies in distributed mode automatically deploy firewall endpoints to all in-scope VPCs. With auto-remediation enabled, new VPCs are protected immediately. This requires the least operational overhead compared to custom automation approaches.
- An organization wants to audit all security groups across 100 accounts to identify rules that allow unrestricted SSH access (0.0.0.0/0 on port 22). Non-compliant security groups should be flagged but NOT automatically modified. Findings should appear in AWS Security Hub. Which approach meets these requirements?
- Create a Firewall Manager security group audit policy with auto-remediation disabled
- Create a Firewall Manager common security group policy
- Deploy a Config managed rule restricted-ssh using StackSets
- Use AWS Control Tower detective guardrail for open SSH
Show Answer
Answer: a – Firewall Manager security group audit policies define guardrails for allowed/disallowed security group rules and detect overly permissive rules. With auto-remediation disabled, it reports non-compliance without making changes. Findings are automatically sent to Security Hub.
- What are the mandatory prerequisites for deploying AWS Firewall Manager policies across an organization? (Select TWO)
- AWS Control Tower must be configured
- AWS Organizations must be enabled with all features
- AWS Config must be enabled in all accounts and Regions where policies apply
- AWS CloudTrail must have an organization trail configured
- AWS Shield Advanced must be subscribed
Show Answer
Answer: b, c – AWS Organizations (all features enabled) and AWS Config are mandatory prerequisites for Firewall Manager. Control Tower and CloudTrail are not required. Shield Advanced is only required for Shield policies specifically.
- $100 (one policy applies to both Regions)
- $200 (one policy, charged per Region)
- $2,000 (one policy per account per Region)
- $4,000 (charged per account per Region)
Show Answer
Answer: b – Firewall Manager charges $100 per policy per Region per month. With one WAF policy applied in 2 Regions, the Firewall Manager fee is $200/month. The fee is per policy per Region, regardless of the number of accounts in scope.
AWS Firewall Manager Certification Tips
- SCS-C02 (Security Specialty) — Firewall Manager is heavily tested. Focus on:
- Centralized WAF management across accounts
- Auto-remediation capabilities and when to use monitoring-only mode
- Prerequisites (Organizations + Config)
- Security group auditing for compliance
- Integration with Security Hub for findings
- Shield Advanced policy management
- SAP-C02 (Solutions Architect Professional) — Focus on:
- Multi-account security architecture with Organizations
- When to use Firewall Manager vs individual service management
- Firewall Manager + Control Tower as complementary services
- Cost optimization (Shield Advanced includes FM at no charge)
- Operational efficiency — FM as the answer for “least operational overhead” in multi-account scenarios
- Network Firewall deployment models (distributed vs centralized)
- Common Exam Patterns:
- “Centrally manage security policies across all accounts” → Firewall Manager
- “Automatically protect new resources” → Firewall Manager with auto-remediation
- “Enforce WAF rules while allowing teams flexibility” → FM WAF policy with first/last rule groups
- “Audit security groups across organization” → FM security group audit policy
- “Deploy Network Firewall across multiple VPCs with least effort” → FM Network Firewall policy
Frequently Asked Questions
What is AWS Firewall Manager?
Firewall Manager centrally configures and manages security policies (WAF, Shield Advanced, Security Groups, Network Firewall, DNS Firewall) across all accounts in your AWS Organization. It auto-remediates non-compliant resources.
What are the prerequisites for Firewall Manager?
You need AWS Organizations with all features enabled, AWS Config enabled in all accounts/Regions you want to protect, and a designated Firewall Manager administrator account.
How much does Firewall Manager cost?
Firewall Manager charges $100 per policy per Region per month, plus the underlying service charges (WAF rules, Network Firewall endpoints, etc.). Shield Advanced customers get Firewall Manager at no additional charge for WAF and Shield policies.


