Firewall Manager

AWS Firewall Manager streamlines the management and maintenance of AWS WAF, AWS Shield Advanced, Amazon VPC security groups and Network Access Control Lists (ACLs), and AWS Network Firewall, AWS Route 53 Resolver DNS Firewall and third-party firewalls across multiple accounts and resources. It enables you to configure your firewall rules, Shield Advanced protections, VPC security groups, and Network Firewall settings just once, with the service automatically enforcing these rules and protections across your accounts and resources, including newly added ones.

The service offers the capability to group and safeguard specific resources together, like those sharing a common tag or all your CloudFront distributions. A significant advantage of Firewall Manager is its ability to automatically extend protection to newly added resources in your account.

A rule group (a collection of WAF rules) can be incorporated into an AWS Firewall Manager Policy, which is then linked to specific AWS resources such as CloudFront distributions or application load balancers.

AWS Firewall Manager provides managed application and protocol lists to simplify the configuration and management of security group policies. These lists allow you to define the protocols and applications permitted or denied by your policies. There are two types of managed lists:

• Firewall Manager managed lists: These lists include FMS-Default-Public-Access-Apps-Allowed, FMS-Default-Protocols-Allowed and FMS-Default-Protocols-Allowed. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version.

• Custom managed lists: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required.

It's important to note that Firewall Manager policies permit only "Block" or "Count" actions for a rule group, without an "Allow" option.

Prerequisites

The following prerequisite steps must be completed before proceeding to configure Firewall Manager to begin protecting your organization's resources effectively. These steps provide the foundational setup required for Firewall Manager to enforce security policies and ensure compliance across your AWS environment:

1. Join and configure AWS Organizations: Ensure your AWS account is part of the AWS Organizations organization where the AWS Firewall Manager policies are planned to be implanted. This allows for centralized management of resources and policies across multiple AWS accounts within the organization.

2. Create an AWS Firewall Manager Default Administrator Account: Establish a default administrator account specifically for managing Firewall Manager security policies. This account will be responsible for configuring and enforcing security policies across the organization. Just the management account of the organization is able to create Firewall Manager default administrator accounts.

3. Enable AWS Config: Activate AWS Config to provide Firewall Manager with the necessary configuration data and insights required to effectively enforce security policies. AWS Config helps analyze, audit, monitor and audit resource configurations and changes, facilitating better security management.

4. For Third-Party Policies, Subscribe in the AWS Marketplace and Configure Third-Party Settings: If you plan to utilize third-party firewall policies, subscribe to them in the AWS Marketplace and configure the necessary settings. This step ensures that Firewall Manager can integrate and enforce policies from trusted third-party vendors.

5. For Network Firewall and DNS Firewall Policies, enable resource sharing: Enable resource sharing specifically for Network Firewall and DNS Firewall policies. This allows Firewall Manager to apply firewall protections to your organization's VPCs and DNS resolution, enhancing network security.

6. To use AWS Firewall Manager in Regions that are disabled by default: If you intend to use Firewall Manager in AWS regions that are disabled by default, ensure that you take the necessary steps to enable its functionality in those regions. This ensures consistent security enforcement across all regions where your organization operates.

For more information, check: Getting started with AWS Firewall Manager AWS WAF policies.

Types of protection policies

AWS Firewall Manager manages several types of policies to enforce security controls across different aspects of your organization's infrastructure:

1. AWS WAF Policy: This policy type supports both AWS WAF and AWS WAF Classic. You can define which resources are protected by the policy. For AWS WAF policies, you can specify sets of rule groups to run first and last in the web ACL. Additionally, account owners can add rules and rule groups to run in between these sets.

2. Shield Advanced Policy: This policy applies Shield Advanced protections across your organization for specified resource types. It helps safeguard against DDoS attacks and other threats.

3. Amazon VPC Security Group Policy: With this policy, you can manage security groups used throughout your organization, enforcing a baseline set of rules across your AWS environment to control network access.

4. Amazon VPC Network Access Control List (ACL) Policy: This policy type gives you control over network ACLs used in your organization, allowing you to enforce a baseline set of network ACLs across your AWS environment.

5. Network Firewall Policy: This policy applies AWS Network Firewall protection to your organization's VPCs, enhancing network security by filtering traffic based on predefined rules.

6. Amazon Route 53 Resolver DNS Firewall Policy: This policy applies DNS Firewall protections to your organization's VPCs, helping to block malicious domain resolution attempts and enforce security policies for DNS traffic.

7. Third-Party Firewall Policy: This policy type applies protections from third-party firewalls, which are available by subscription through the AWS Marketplace console. It allows you to integrate additional security measures from trusted vendors into your AWS environment.

   1. Palo Alto Networks Cloud NGFW Policy: This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and rulestacks to your organization's VPCs, providing advanced threat prevention and application-level security controls.

   2. Fortigate Cloud Native Firewall (CNF) as a Service Policy: This policy applies Fortigate Cloud Native Firewall (CNF) as a Service protections, offering industry-leading threat prevention, web application firewall (WAF), and API protection tailored for cloud infrastructures.

Administrator accounts

AWS Firewall Manager offers flexibility in managing firewall resources within your organization through its administrative scope and two types of administrator accounts.

Administrative scope defines the resources that a Firewall Manager administrator can manage. After an AWS Organizations management account onboards an organization to Firewall Manager, it can create additional administrators with different administrative scopes. These scopes can include:

• Accounts or organizational units (OUs) that the administrator can apply policies to.

• Regions where the administrator can perform actions.

• Firewall Manager policy types that the administrator can manage.

Administrative scope can be either full or restricted. Full scope grants the administrator access to all specified resource types, regions, and policy types. In contrast, restricted scope provides administrative permission to only a subset of resources, regions, or policy types. It's advisable to grant administrators only the permissions they need to fulfill their roles effectively. You can apply any combination of these administrative scope conditions to an administrator, ensuring adherence to the principle of least privilege.

There are two distinct types of administrator accounts, each serving specific roles and responsibilities:

• Default Administrator:

  • The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager.

  • This account has the capability to manage third-party firewalls and possesses full administrative scope.

  • It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization.

  • While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization.

• Firewall Manager Administrators:

  • These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration.

  • Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards.

  • Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager.

Managing these administrator accounts involves creating them within Firewall Manager and defining their administrative scopes according to the organization's security requirements and the principle of least privilege. By assigning appropriate administrative roles, organizations can ensure effective security management while maintaining granular control over access to sensitive resources.

It is important to highlight that only one account within an organization can serve as the Firewall Manager default administrator, adhering to the principle of "first in, last out". To designate a new default administrator, a series of steps must be followed:

• First, each Firewall Administrator administrator account must revoke their own account.

• Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account.

• To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator.

Enumeration

# Users/Administrators

## Get the AWS Organizations account that is associated with AWS Firewall Manager as the AWS Firewall Manager default administrator
aws fms get-admin-account

## List of Firewall Manager administrators within the organization
aws fms list-admin-accounts-for-organization # ReadOnlyAccess policy is not enough for this

## Return a list of the member accounts in the FM administrator's AWS organization
aws fms list-member-accounts # Only a Firewall Manager administrator or the Organization's management account can make this request

## List the accounts that are managing the specified AWS Organizations member account
aws fms list-admins-managing-account # ReadOnlyAccess policy is not enough for this

# Resources

## Get the resources that a Firewall Manager administrator can manage
aws fms get-admin-scope --admin-account <value> # ReadOnlyAccess policy is not enough for this

## Returns the summary of the resource sets used
aws fms list-resource-sets # ReadOnlyAccess policy is not enough for this

## Get information about a specific resource set
aws fms get-resource-set --identifier <value>  # ReadOnlyAccess policy is not enough for this

## Retrieve the list of tags for a given resource
aws fms list-tags-for-resource --resource-arn <value>

## List of the resources in the AWS Organization's accounts that are available to be associated with a FM resource set. Only one account is supported per request. 
aws fms list-compliance-status --member-account-ids <value> --resource-type <value> # ReadOnlyAccess policy is not enough for this

## List the resources that are currently associated to a resource set
aws fms list-resource-set-resources --identifier <value> # ReadOnlyAccess policy is not enough for this

# Policies

## Returns the list of policies
aws fms list-policies

## Get information about the specified AWS Firewall Manager policy
aws fms get-policy --policy-id <value>

## List all of the third-party firewall policies that are associated with the third-party firewall administrator's account
aws fms list-third-party-firewall-firewall-policies --third-party-firewall <PALO_ALTO_NETWORKS_CLOUD_NGFW|FORTIGATE_CLOUD_NATIVE_FIREWALL> # ReadOnlyAccess policy is not enough for this

# AppsList

## Return a list of apps list
aws fms list-apps-lists --max-results [1-100]

## Get information about the specified AWS Firewall Manager applications list
aws fms get-apps-list --list-id <value>

# Protocols

## Get the details of the Firewall Manager protocols list.
aws fms list-protocols-lists

## Get information about the specified AWS Firewall Manager Protocols list
aws fms get-protocols-list --list-id <value>

# Compliance

## Return a summary of which member accounts are protected by the specified policy
aws fms list-compliance-status --policy-id <policy-id>

## Get detailed compliance information about the specified member account (resources that are in and out of compliance with the specified policy)
aws fms get-compliance-detail --policy-id <value> --member-account <value>

# Other useful info

## Get information about the SNS topic that is used to record AWS Firewall Manager SNS logs (if any)
aws fms get-notification-channel

## Get policy-level attack summary information in the event of a potential DDoS attack
aws fms get-protection-status --policy-id <value> # Just for Shield Advanced policy

## Get the onboarding status of a Firewall Manager admin account to third-party firewall vendor tenant.
aws fms get-third-party-firewall-association-status --third-party-firewall <PALO_ALTO_NETWORKS_CLOUD_NGFW|FORTIGATE_CLOUD_NATIVE_FIREWALL> # ReadOnlyAccess policy is not enough for this

## Get violations' details for a resource based on the specified AWS Firewall Manager policy and AWS account.
aws fms get-violation-details --policy-id <value> --member-account <value> --resource-id <value> --resource-type <value>

Post Exploitation / Bypass Detection

organizations:DescribeOrganization & (fms:AssociateAdminAccount, fms:DisassociateAdminAccount, fms:PutAdminAccount)

An attacker with the fms:AssociateAdminAccount permission would be able to set the Firewall Manager default administrator account. With the fms:PutAdminAccount permission, an attacker would be able to create or updatea Firewall Manager administrator account and with the fms:DisassociateAdminAccount permission, a potential attacker could remove the current Firewall Manager administrator account association.

• The disassociation of the Firewall Manager default administrator follows the first-in-last-out policy. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account.

• In order to create a Firewall Manager administrator by PutAdminAccount, the account must belong to the organization that was previously onboarded to Firewall Manager using AssociateAdminAccount.

• The creation of a Firewall Manager administrator account can only be done by the organization's management account.

aws fms associate-admin-account --admin-account <value>
aws fms disassociate-admin-account
aws fms put-admin-account --admin-account <value>

Potential Impact: Loss of centralized management, policy evasion, compliance violations, and disruption of security controls within the environment.

fms:PutPolicy, fms:DeletePolicy

An attacker with the fms:PutPolicy, fms:DeletePolicy permissions would be able to create, modify or permanently delete an AWS Firewall Manager policy.

aws fms put-policy --policy <value> | --cli-input-json file://<policy.json> [--tag-list <value>]
aws fms delete-policy --policy-id <value> [--delete-all-policy-resources | --no-delete-all-policy-resources]

An example of permisive policy through permisive security group, in order to bypass the detection, could be the following one:

{
    "Policy": {
        "PolicyName": "permisive_policy",
        "SecurityServicePolicyData": {
            "Type": "SECURITY_GROUPS_COMMON",
            "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"<permisive_security_group_id>\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}"
        },
        "ResourceTypeList": ["AWS::EC2::Instance", "AWS::EC2::NetworkInterface", "AWS::EC2::SecurityGroup", "AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ElasticLoadBalancing::LoadBalancer"],
        "ResourceType": "AWS::EC2::SecurityGroup",
        "ExcludeResourceTags": false,
        "ResourceTags": [],
        "RemediationEnabled": true
    },
    "TagList": []
}

Potential Impact: Dismantling of security controls, policy evasion, compliance violations, operational disruptions, and potential data breaches within the environment.

fms:BatchAssociateResource, fms:BatchDisassociateResource, fms:PutResourceSet, fms:DeleteResourceSet

An attacker with the fms:BatchAssociateResource and fms:BatchDisassociateResource permissions would be able to associate or disassociate resources from a Firewall Manager resource set respectively. In addition, the fms:PutResourceSet and fms:DeleteResourceSet permissions would allow an attacker to create, modify or delete these resource sets from AWS Firewall Manager.

# Associate/Disassociate resources from a resource set
aws fms batch-associate-resource --resource-set-identifier <value> --items <value>
aws fms batch-disassociate-resource --resource-set-identifier <value> --items <value>

# Create, modify or delete a resource set
aws fms put-resource-set --resource-set <value> [--tag-list <value>]
aws fms delete-resource-set --identifier <value>

Potential Impact: The addition of an unnecessary amount of items to a resource set will increase the level of noise in the Service potentially causing a DoS. In addition, changes of the resource sets could lead to a resource disruption, policy evasion, compliance violations, and disruption of security controls within the environment.

fms:PutAppsList, fms:DeleteAppsList

An attacker with the fms:PutAppsList and fms:DeleteAppsList permissions would be able to create, modify or delete application lists from AWS Firewall Manager. This could be critical, as unauthorized applications could be allowed access to the general public, or access to authorized applications could be denied, causing a DoS.

aws fms put-apps-list --apps-list <value> [--tag-list <value>]
aws fms delete-apps-list --list-id <value>

Potential Impact: This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.

fms:PutProtocolsList, fms:DeleteProtocolsList

An attacker with the fms:PutProtocolsList and fms:DeleteProtocolsList permissions would be able to create, modify or delete protocols lists from AWS Firewall Manager. Similarly as with applications lists, this could be critical since unauthorized protocols could be used by the general public, or the use of authorized protocols could be denied, causing a DoS.

aws fms put-protocols-list --apps-list <value> [--tag-list <value>]
aws fms delete-protocols-list --list-id <value>

Potential Impact: This could result in misconfigurations, policy evasion, compliance violations, and disruption of security controls within the environment.

fms:PutNotificationChannel, fms:DeleteNotificationChannel

An attacker with the fms:PutNotificationChannel and fms:DeleteNotificationChannel permissions would be able to delete and designate the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.

To use fms:PutNotificationChannel outside of the console, you need to set up the SNS topic's access policy, allowing the specified SnsRoleName to publish SNS logs. If the provided SnsRoleName is a role other than the AWSServiceRoleForFMS, it requires a trust relationship configured to permit the Firewall Manager service principal fms.amazonaws.com to assume this role.

For information about configuring an SNS access policy:

aws fms put-notification-channel --sns-topic-arn <value> --sns-role-name <value>
aws fms delete-notification-channel

Potential Impact: This would potentially lead to miss security alerts, delayed incident response, potential data breaches and operational disruptions within the environment.

fms:AssociateThirdPartyFirewall, fms:DisssociateThirdPartyFirewall

An attacker with the fms:AssociateThirdPartyFirewall, fms:DisssociateThirdPartyFirewall permissions would be able to associate or disassociate third-party firewalls from being managed centrally through AWS Firewall Manager.

aws fms associate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]
aws fms disassociate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL]

Potential Impact: The disassociation would lead to a policy evasion, compliance violations, and disruption of security controls within the environment. The association on the other hand would lead to a disruption of cost and budget allocation.

fms:TagResource, fms:UntagResource

An attacker would be able to add, modify, or remove tags from Firewall Manager resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.

aws fms tag-resource --resource-arn <value> --tag-list <value>
aws fms untag-resource --resource-arn <value> --tag-keys <value>

Potential Impact: Disruption of cost allocation, resource tracking, and tag-based access control policies.

References

• https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html

• https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html

• https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html