AWS Firewall manager Archives - AWS Security Architect https://awssecurityarchitect.com/tag/aws-firewall-manager/ Experienced AWS, GCP and Azure Security Architect Fri, 24 Oct 2025 15:34:38 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.1 214477604 AWS Firewall Manager https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/ https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/#respond Fri, 24 Oct 2025 14:50:37 +0000 https://awssecurityarchitect.com/?p=382   Firewall Manager in Shared VPC Environments How AWS Firewall Manager (FMS) governs centralized network and security policies in Shared VPC deployments, and which aspects of security are controlled at […]

The post AWS Firewall Manager appeared first on AWS Security Architect.

]]>  

Firewall Manager in Shared VPC Environments

How AWS Firewall Manager (FMS) governs centralized network and security policies in Shared VPC deployments, and which aspects of security are controlled at the organization level.

Key Idea: In a Shared VPC, the host account owns all network infrastructure, while participant accounts host workloads. AWS Firewall Manager operates across all these accounts to enforce uniform firewall, WAF, and SG policies centrally from the security administrator account.

1. AWS Firewall Manager Overview

AWS Firewall Manager (FMS) is a centralized security policy enforcement service integrated with AWS Organizations. It allows security administrators to define firewall, WAF, and network protection policies in a single account and automatically apply them across member accounts.

When used with Shared VPCs, FMS integrates directly with:

  • AWS Network Firewall (for centralized network-layer protection)
  • AWS WAF (for application-layer protection)
  • Security Group policies (for instance-level enforcement)
  • Route 53 Resolver DNS Firewall (for domain-based filtering)

2. How Firewall Manager Operates in a Shared VPC

Shared VPC Structure Recap

  • The Host Account owns the VPC, subnets, NACLs, and routing tables.
  • Participant Accounts deploy workloads (EC2, ECS tasks, ENIs) in the shared subnets.
  • Firewall Manager Admin Account manages organization-wide policies.

Firewall Manager’s Scope in Shared VPCs

  • FMS operates at the organization level (across accounts), not just per VPC.
  • For Shared VPCs, FMS applies policies directly to the Host Account’s VPC since it owns the network layer.
  • It automatically identifies and applies security group compliance or Network Firewall deployments to the shared subnets.
  • Participant accounts cannot override enforced SG, WAF, or firewall rules defined by FMS.

Shared VPC Security Group and Traffic Flow Diagram

AWS Firewall Manager
AWS Firewall Manager

Diagram: Firewall Manager centrally enforces SG, Network Firewall, and DNS Firewall across shared subnets and participant workloads.

3. Security Aspects Controlled by Firewall Manager

Security Aspect Managed By Description
Network Firewall Policies Firewall Manager (Host Account) Automatically deploys AWS Network Firewall endpoints into shared subnets. Enforces centralized stateful and stateless rule groups (e.g., IPS/IDS, egress filtering, domain filtering).
Security Group Policies Firewall Manager (Org Admin) Defines allowed/denied SG rules across all accounts. Prevents overly permissive rules (e.g., 0.0.0.0/0 on SSH). Can audit and auto-remediate SGs in participant accounts.
AWS WAF Rules Firewall Manager Applies web ACLs consistently across Application Load Balancers or CloudFront distributions hosted in shared or member accounts.
DNS Firewall Rules Firewall Manager Centralized domain name blocking or allowing across Route 53 Resolver endpoints used by workloads in shared subnets.
Policy Enforcement Visibility Firewall Manager Aggregates compliance status (e.g., missing SG rules, unassociated firewalls) across accounts in the AWS Organization and sends findings to Security Hub or CloudWatch.
Flow Logging and Monitoring Host Account Firewall Manager integrates with GuardDuty and VPC Flow Logs for detecting anomalous traffic patterns in shared VPCs.

4. Example: Shared VPC Policy Application Flow

  1. Security Admin in the Firewall Manager administrator account defines a Network Firewall policy for the Shared VPC’s subnets.
  2. FMS automatically deploys firewall endpoints in the host account’s subnets (e.g., Inspection VPC or shared subnet).
  3. Security Group Policy is enforced so that participant workloads cannot create SGs with unrestricted ingress/egress.
  4. Traffic from participant EC2 instances is routed through the centralized Network Firewall (for east-west and north-south inspection).
  5. Compliance violations (e.g., missing SG association) appear in the FMS dashboard for remediation.

5. Best Practices for FMS in Shared VPCs

  • Designate a dedicated Security Administrator Account with FMS admin privileges.
  • Deploy Network Firewall in dedicated inspection subnets within the host account.
  • Apply security group policies that define baseline ingress/egress templates for all workloads.
  • Enable auto-remediation for SG and WAF noncompliance to reduce drift.
  • Integrate FMS with Security Hub and CloudWatch for unified visibility and alerting.
  • Regularly audit RAM sharing configuration to ensure correct subnet and SG exposure.

© 2025 — AWS Firewall Manager & Shared VPC Security Architecture Reference

 

The post AWS Firewall Manager appeared first on AWS Security Architect.

]]> https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/feed/ 0 382