AWS Firewall Manager Policy

This page shows how to write Terraform and CloudFormation for Firewall Manager Policy and write them securely.

code-icon

Fix issues in your cloud & app configurations

Test for misconfigurations of this resource in your cloud.

get-started-button

Terraform Example (aws_fms_policy)

Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.

Parameters

Example Usage (from GitHub)

github-iconcloudposse/terraform-aws-firewall-manager
resource "aws_fms_policy" "shiled_advanced" {
  for_each = local.shiled_advanced_policies

  name                        = module.shiled_advanced_label[each.key].id
  delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
  exclude_resource_tags       = lookup(each.value, "exclude_resource_tags", false)
github-iconcloudposse/terraform-aws-firewall-manager
resource "aws_fms_policy" "waf" {
  for_each = local.waf_policies

  name                        = module.waf_label[each.key].id
  delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
  exclude_resource_tags       = lookup(each.value, "exclude_resource_tags", false)
github-iconcloudposse/terraform-aws-firewall-manager
resource "aws_fms_policy" "dns_firewall" {
  for_each = local.dns_firewall_policies

  name                        = module.dns_firewall_label[each.key].id
  delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
  exclude_resource_tags       = lookup(each.value, "exclude_resource_tags", false)
github-iconcloudposse/terraform-aws-firewall-manager
resource "aws_fms_policy" "security_groups_usage_audit" {
  for_each = local.security_groups_usage_audit_policies

  name                        = module.security_groups_usage_audit_label[each.key].id
  delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
  exclude_resource_tags       = lookup(each.value, "exclude_resource_tags", false)
github-iconcloudposse/terraform-aws-firewall-manager
resource "aws_fms_policy" "security_groups_content_audit" {
  for_each = local.security_groups_content_audit_policies

  name                        = module.security_groups_content_audit_label[each.key].id
  delete_all_policy_resources = lookup(each.value, "delete_all_policy_resources", true)
  exclude_resource_tags       = lookup(each.value, "exclude_resource_tags", false)

CloudFormation Example (AWS::FMS::Policy)

An AWS Firewall Manager policy.

Firewall Manager provides the following types of policies: + An AWS Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources.

  • An AWS WAF policy (type WAFV2), which defines rule groups to run first in the corresponding AWS WAF web ACL and rule groups to run last in the web ACL.
  • An AWS WAF Classic policy, which defines a rule group. AWS WAF Classic doesn't support rule groups in Amazon CloudFront, so, to create AWS WAF Classic policies through CloudFront, you first need to create your rule groups outside of CloudFront.
  • A security group policy, which manages VPC security groups across your AWS organization.
  • An AWS Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs.
    • A DNS Firewall policy, which provides Amazon Route¬†53 Resolver DNS Firewall rules to filter DNS queries for specified Amazon VPCs.

    Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type.

    These policies require some setup to use. For more information, see the sections on prerequisites and getting started under AWS Firewall Manager.

Parameters

Frequently asked questions

What is AWS Firewall Manager Policy?

AWS Firewall Manager Policy is a resource for Firewall Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Firewall Manager Policy?

For Terraform, the cloudposse/terraform-aws-firewall-manager, cloudposse/terraform-aws-firewall-manager and cloudposse/terraform-aws-firewall-manager source code examples are useful. See the Terraform Example section for further details.