AWS Firewall Manager Policy
This page shows how to write Terraform and CloudFormation for Firewall Manager Policy and write them securely.
aws_fms_policy (Terraform)
The Policy in Firewall Manager can be configured in Terraform with the resource name aws_fms_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_fms_policy" "shiled_advanced" {
for_each = local.shiled_advanced_policies
name = module.shiled_advanced_label[each.key].id
delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
exclude_resource_tags = lookup(each.value, "exclude_resource_tags", false)
resource "aws_fms_policy" "waf" {
for_each = local.waf_policies
name = module.waf_label[each.key].id
delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
exclude_resource_tags = lookup(each.value, "exclude_resource_tags", false)
resource "aws_fms_policy" "dns_firewall" {
for_each = local.dns_firewall_policies
name = module.dns_firewall_label[each.key].id
delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
exclude_resource_tags = lookup(each.value, "exclude_resource_tags", false)
resource "aws_fms_policy" "security_groups_usage_audit" {
for_each = local.security_groups_usage_audit_policies
name = module.security_groups_usage_audit_label[each.key].id
delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
exclude_resource_tags = lookup(each.value, "exclude_resource_tags", false)
resource "aws_fms_policy" "security_groups_content_audit" {
for_each = local.security_groups_content_audit_policies
name = module.security_groups_content_audit_label[each.key].id
delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
exclude_resource_tags = lookup(each.value, "exclude_resource_tags", false)
Parameters
-
arn
optional computed - string -
delete_all_policy_resources
optional - bool -
exclude_resource_tags
required - bool -
id
optional computed - string -
name
required - string -
policy_update_token
optional computed - string -
remediation_enabled
optional - bool -
resource_tags
optional - map from string to string -
resource_type
optional computed - string -
resource_type_list
optional computed - set of string -
exclude_map
list block -
include_map
list block -
security_service_policy_data
list block-
managed_service_data
optional - string -
type
required - string
-
Explanation in Terraform Registry
Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.
AWS::FMS::Policy (CloudFormation)
The Policy in FMS can be configured in CloudFormation with the resource name AWS::FMS::Policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::FMS::Policy
Properties:
PolicyName: fms-regional-waf-default-policy
DeleteAllPolicyResources: true
RemediationEnabled: true
ExcludeResourceTags: true
Type: AWS::FMS::Policy
Properties:
Tags:
- Key: "isSpecial"
Value: "true"
ResourceType: AWS::ElasticLoadBalancingV2::LoadBalancer
Type: AWS::FMS::Policy
Properties:
Tags:
- Key: "isSpecial"
Value: "true"
- Key: new_tag
Type: AWS::FMS::Policy
Properties:
PolicyName: fms-regional-waf-default-policy
DeleteAllPolicyResources: true
RemediationEnabled: true
ExcludeResourceTags: true
Type: AWS::FMS::Policy
Properties:
PolicyName: fms-regional-waf-default-policy
DeleteAllPolicyResources: true
RemediationEnabled: true
ExcludeResourceTags: true
"Type": "AWS::FMS::Policy"
}
}
}
"Type": "AWS::FMS::Policy"
}
}
}
"AWS::FMS::Policy.IEMap": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-iemap.html",
"Properties": {
"ACCOUNT": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-iemap.html#cfn-fms-policy-iemap-account",
"UpdateType": "Mutable",
"resourceType": "AWS::FMS::Policy",
"filePath": null
}
]
},
{
"AWS::FMS::Policy": {
"Type": "AWS::FMS::Policy",
"Properties": {}
},
"AWS::Transfer::User": {
"Type": "AWS::Transfer::User",
Parameters
-
ExcludeMap
optional - IEMap -
ExcludeResourceTags
required - Boolean -
IncludeMap
optional - IEMap -
PolicyName
required - String -
RemediationEnabled
required - Boolean -
ResourceTags
optional - List of ResourceTag -
ResourceType
required - String -
ResourceTypeList
optional - List -
SecurityServicePolicyData
required - Json -
DeleteAllPolicyResources
optional - Boolean -
ResourcesCleanUp
optional - Boolean -
Tags
optional - List of PolicyTag
Explanation in CloudFormation Registry
An AWS Firewall Manager policy.
Firewall Manager provides the following types of policies: + An AWS Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources.
- An AWS WAF policy (type WAFV2), which defines rule groups to run first in the corresponding AWS WAF web ACL and rule groups to run last in the web ACL.
- An AWS WAF Classic policy, which defines a rule group. AWS WAF Classic doesn't support rule groups in Amazon CloudFront, so, to create AWS WAF Classic policies through CloudFront, you first need to create your rule groups outside of CloudFront.
- A security group policy, which manages VPC security groups across your AWS organization.
- An AWS Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs.
- A DNS Firewall policy, which provides Amazon Route 53 Resolver DNS Firewall rules to filter DNS queries for specified Amazon VPCs.
Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type.
These policies require some setup to use. For more information, see the sections on prerequisites and getting started under AWS Firewall Manager.
Frequently asked questions
What is AWS Firewall Manager Policy?
AWS Firewall Manager Policy is a resource for Firewall Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Firewall Manager Policy?
For Terraform, the cloudposse/terraform-aws-firewall-manager, cloudposse/terraform-aws-firewall-manager and cloudposse/terraform-aws-firewall-manager source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the mynameisakash/aws_sec_ref_arch, bridgecrewio/yor and bridgecrewio/yor source code examples are useful. See the CloudFormation Example section for further details.