AWS Firewall Manager provides centralized control for the Security Groups.
If the requirement is to limit entire organization users not to create a security group with an open policy (all traffic) and should only limit inbound rule with HTTPS (Port 443) or with a limited set of inbound rules as per our requirement, then you are on the right page.
1. Create a Security Group
Let's say we need to only allow security group which allow HTTPS (443)
Create a security group as below with CloudFormation:
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: FW-SecurityGroup
GroupDescription: Allow access to the AWS
VpcId: vpc-1234567 # Update with VPC ID of your account
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: '0.0.0.0/0'
SecurityGroupEgress:
- IpProtocol: "-1"
CidrIp: 0.0.0.0/02. Create Firewall Manager Policy
In AWS Console under AWS Firewall Manager > Security policies > Create Policy
Select Policy Type: `Security Group` and Security group policy groups: `Auditing and enforcement of security group rules` as above.
Now we need to connect the Firewall policy with the Security Group which we created, Under configure custom policy rules add the security group inbound rule contains HTTPS (Port 443) rule.
Next step is where if someone in your organization created a security group that contains traffic other than port 443 will get removed automatically.
By making the policy action as Auto Remediate we can achieve this use case.
We can limit the policy scope to a specific account or to an organization unit.
Resource Type: Security group (In this use case)
Note:- AWS Firewall Policy is available for Organization accounts and not for Free tier users.
All the above steps can be done using IaC, CloudFormation template below:
AWSTemplateFormatVersion: "2010-09-09"
Description: AWS Firewall Organizational Policy - SecurityGroupResources: SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: FW-SecurityGroup
GroupDescription: Allow access to the AWS
VpcId: vpc-1234567890 # Update your Account VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: '0.0.0.0/0'
SecurityGroupEgress:
- IpProtocol: "-1"
CidrIp: 0.0.0.0/0 FirewallPolicy:
Type: AWS::FMS::Policy
Properties:
IncludeMap:
ACCOUNT:
- 123451234123 # Target Account ID
ExcludeResourceTags: 'false'
PolicyName: SecurityGroup-FW-Policy
RemediationEnabled: 'true'
ResourceType: AWS::EC2::SecurityGroup
SecurityServicePolicyData:
Type: SECURITY_GROUPS_CONTENT_AUDIT
ManagedServiceData: !Sub '{"type":"SECURITY_GROUPS_CONTENT_AUDIT","securityGroups":[{"id":"${SecurityGroup.GroupId}"}],"securityGroupAction":{"type":"ALLOW"}}'
With this Firewall policy, we can make sure no security groups violate the inbound rules as described in the master security group, #Safe Clouding :)
