How can I use custom policy rules with my Firewall Manager content audit security group policy?

3 minute read
0

I want to use custom policy rules with my AWS Firewall Manager content audit security group policy.

Short description

You can use Firewall Manager content audit security group policies to check and manage rules that are in use in your organization's security groups. Content audit security group policies apply to all security groups in use in your organization in AWS Organizations. You can create custom policy rules for your content audit security group policy for your use case.

For more information, see Content audit security group policies.

Resolution

Complete the Firewall Manager prerequisites, and then create the audit security group and policy

Important: It's a best practice to create an audit security group policy with automatic remediation deactivated. Review the effects of policy creation before activating automatic remediation. After you review the expected effects, you can edit the policy and then activate automatic remediation. When automatic remediation is activated, Firewall Manager updates or removes rules that are noncompliant with in-scope security groups.

"Allow only the rules defined in the audit security groups" policy rule

This rule states that all in-scope security groups must only have rules that are within the allowed range of the policy's audit security group rules. In this case, the policy's security group rules provide the example of what's acceptable to do.

Example use case

To allow SSH from allow-listed CIDRs in the range 10.0.0.0/16, use an inbound rule allowing SSH (TCP port 22) from 10.0.0.0/16 only. Security group rules allowing SSH from other CIDRs in another range (for example, 10.0.0.0/8) aren't allowed.

For more information, see Content audit security group policies.

"Deny the use of any rules defined in the audit security groups" policy rule

This rule states that all in-scope security groups must only have rules that aren't within the allowed range of the policy's audit security group rules. In this case, the policy's security group provides the example of what's not acceptable to do.

Example use case

To deny inbound TCP access on the port range 1024 to 65535, use an inbound rule allowing TCP traffic in the range 0.0.0.0/0. Security group rules allowing TCP traffic in the port range 1024 to 65535 from any CIDR aren't allowed.

Related information

How do I set up AWS Firewall Manager for my AWS account?

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago