This chapter covers AWS Firewall Manager, a centralized security management service that allows you to configure and enforce firewall rules across all accounts and resources in your AWS Organization. For the SAA-C03 exam, Firewall Manager appears in approximately 5-8% of questions, typically as part of a larger scenario involving multi-account security or compliance. You must understand its role in centrally managing AWS WAF rules, AWS Shield Advanced protections, VPC security groups, and AWS Network Firewall policies, as well as its integration with AWS Organizations and AWS Config.
Jump to a section
Imagine a multinational corporation with dozens of office buildings across the world. Each building has its own security guards (individual firewalls), but the company wants all buildings to follow the same security policy: all visitors must show ID at the front desk, all packages must be scanned, and no unauthorized devices are allowed on the internal network. Instead of sending a memo to each building and hoping they comply, the company hires a central security enforcer (AWS Firewall Manager). This enforcer has a master list of rules. Whenever a new building opens, the enforcer automatically sends the required security procedures and ensures the guards are trained. If a building deviates from the policy, the enforcer sends an alert and can even automatically lock down the building until compliance is restored. The enforcer also provides a single dashboard showing the compliance status of every building, so the chief security officer can see at a glance which buildings are following the rules and which are not. Importantly, the enforcer does not replace the guards; it just ensures they follow the same playbook. Similarly, AWS Firewall Manager does not replace individual firewall services like AWS WAF, AWS Shield Advanced, or VPC Security Groups; it centrally manages and enforces policies across all accounts and resources in an AWS Organization.
What is AWS Firewall Manager?
AWS Firewall Manager is a security management service that provides a single point of control for configuring and enforcing firewall rules across all accounts and resources in an AWS Organization. It simplifies the management of AWS WAF, AWS Shield Advanced, VPC security groups, and AWS Network Firewall by allowing you to create common security policies that are automatically applied to new and existing resources. Firewall Manager is not a firewall itself; it is a policy management layer that ensures consistent security posture across your entire organization.
Why It Exists
In large enterprises with multiple AWS accounts, manually configuring firewall rules in each account leads to inconsistencies, security gaps, and operational overhead. Firewall Manager solves this by enabling centralized policy creation, enforcement, and compliance monitoring. It is particularly valuable for organizations that must meet regulatory compliance requirements (e.g., PCI DSS, HIPAA) where uniform security controls are mandatory.
How Firewall Manager Works Internally
Firewall Manager operates through the following components:
- AWS Organization: Firewall Manager requires an AWS Organization with all features enabled. It uses the management account (or a delegated administrator account) to define policies. - Policy: A policy is a set of rules that Firewall Manager applies to resources. There are four types of policies: - AWS WAF policy: Manages web ACLs for CloudFront, API Gateway, Application Load Balancer, and AWS AppSync. - AWS Shield Advanced policy: Enables Shield Advanced protections and configures AWS WAF for DDoS mitigation. - Security group policy: Manages VPC security groups across accounts. - AWS Network Firewall policy: Manages Network Firewall rule groups. - Rule Groups: For WAF and Network Firewall, policies reference rule groups that contain the actual rules. Rule groups can be managed by Firewall Manager or by you. - Resource Set: A policy can target specific resources (e.g., all ALBs, all CloudFront distributions) or resources tagged with specific tags. - Remediation: Firewall Manager can automatically remediate noncompliant resources by applying the policy rules. It can also generate compliance reports.
When a policy is created or updated, Firewall Manager does the following: 1. Scans all accounts in the organization (or a subset defined by resource sets) to identify resources that match the policy's scope. 2. Evaluates each resource against the policy rules. 3. If a resource is noncompliant, Firewall Manager can either alert (via AWS Config rules) or automatically apply the policy to bring it into compliance. 4. For new resources (e.g., a new ALB created in a member account), Firewall Manager detects them within minutes and applies the policy automatically.
Key Components, Values, Defaults, and Timers
Policy Types: Only four types are supported. You cannot create custom policy types.
Resource Sets: You can target resources by resource type (e.g., AWS::ElasticLoadBalancingV2::LoadBalancer) or by tags. Tags are evaluated using case-sensitive exact match.
Remediation Action: For security group policies, you can choose to 'Apply' (modify the security group rules) or 'Monitor' (only report noncompliance). For WAF and Network Firewall, the policy is always applied.
Compliance Check Frequency: Firewall Manager checks compliance every 5 minutes by default. You can also trigger an on-demand check via API or console.
Delegated Administrator: You can designate a member account as the Firewall Manager administrator, allowing it to manage policies without using the management account. This is a best practice for security separation.
Limits:
Maximum of 100 policies per organization.
Each policy can have up to 10 rule groups (for WAF) or 5 rule groups (for Network Firewall).
Security group policies can have up to 5 base security groups per policy.
Pricing: Firewall Manager itself has no additional cost; you pay for the underlying services (AWS WAF, Shield Advanced, etc.). However, there is a charge for the number of policy evaluations per month (first 100,000 evaluations free, then $0.001 per evaluation).
Configuration and Verification
To set up Firewall Manager: 1. Enable AWS Organizations with all features. 2. Enable AWS Config in all accounts (required for compliance monitoring). 3. In the management account, open Firewall Manager and choose 'Get started'. 4. Select a delegated administrator (optional). 5. Create a policy. For example, to create a WAF policy:
- Choose 'AWS WAF' as policy type. - Select rule groups (e.g., 'AWS-AWSManagedRulesCommonRuleSet'). - Define resource set (e.g., all Application Load Balancers). - Set remediation action to 'Apply'. 6. Verify compliance via the Firewall Manager dashboard or AWS Config.
To check policy compliance via CLI:
aws fms list-compliance-status --policy-id <policy-id>To view noncompliant resources:
aws fms get-compliance-detail --policy-id <policy-id> --member-account <account-id>Interaction with Related Technologies
AWS Organizations: Firewall Manager relies on Organizations to discover accounts and resources. It must be enabled in the management account or delegated administrator.
AWS Config: Firewall Manager uses AWS Config rules to evaluate resource compliance. You must enable AWS Config in all accounts and regions where you want Firewall Manager to operate.
AWS WAF & Shield Advanced: Firewall Manager can centrally manage web ACLs and Shield Advanced subscriptions. It can automatically enable Shield Advanced on all accounts.
VPC Security Groups: Firewall Manager can enforce common security group rules across accounts. It can also create 'audit' security groups that monitor traffic.
AWS Network Firewall: Firewall Manager can deploy Network Firewall policies across VPCs in multiple accounts.
AWS CloudFormation StackSets: While not directly integrated, you can use StackSets to deploy Firewall Manager prerequisites (like AWS Config) across accounts.
Important Exam Considerations
Firewall Manager only works within AWS Organizations. If the scenario does not mention Organizations, Firewall Manager is not the answer.
It does not replace AWS WAF or Shield Advanced; it manages them centrally.
For security group policies, Firewall Manager can only *add* rules to existing security groups or create new security groups. It cannot remove existing rules unless you specify a 'base' security group that overrides.
It supports multiple regions, but policies are region-specific. You must create a policy in each region where you want enforcement.
Firewall Manager does not support all resource types. For example, it cannot manage security groups for EC2 instances directly; it manages security groups as standalone resources and then you associate them with instances manually or via other automation.
Common Exam Traps
Trap 1: Choosing Firewall Manager to manage security groups for EC2 instances across accounts. Reality: Firewall Manager manages security group *rules*, not the association of security groups to instances. You still need to attach the security groups to instances.
Trap 2: Thinking Firewall Manager can enforce policies in accounts outside the organization. Reality: It only works within an AWS Organization.
Trap 3: Assuming Firewall Manager works without AWS Config. Reality: AWS Config must be enabled for compliance evaluation.
Trap 4: Confusing Firewall Manager with AWS Config rules. Firewall Manager is for *enforcing* policies; AWS Config is for *detecting* noncompliance. They work together.
Step-by-Step Policy Enforcement Process
Policy Creation: Admin defines a policy in Firewall Manager specifying the rule groups, resource set, and remediation action.
Resource Discovery: Firewall Manager uses AWS Organizations to list all accounts and resources within the policy's scope.
Compliance Evaluation: Firewall Manager evaluates each resource against the policy rules using AWS Config rules. For security groups, it checks if the security group rules match the policy.
Remediation: If a resource is noncompliant and remediation is enabled, Firewall Manager automatically applies the policy. For WAF, it attaches the web ACL; for security groups, it adds the required rules.
Continuous Monitoring: Firewall Manager re-evaluates compliance every 5 minutes and when new resources are created.
Reporting: Compliance status is available in the Firewall Manager dashboard and can be exported via AWS Config.
Real World Section
Scenario 1: Multi-Account Web Application Firewall A financial services company has 50 AWS accounts, each hosting multiple web applications behind Application Load Balancers. They need to enforce a common set of OWASP Top 10 rules (e.g., SQL injection, XSS) across all ALBs. Using Firewall Manager, they create a single AWS WAF policy with managed rule groups. The policy targets all ALBs in all accounts. When a developer creates a new ALB in a member account, Firewall Manager automatically attaches the web ACL within minutes. If a developer accidentally detaches the web ACL, Firewall Manager reattaches it. The company also uses Shield Advanced for DDoS protection; Firewall Manager enables Shield Advanced on all accounts and configures the same WAF rules for rate limiting. In production, they handle over 10,000 web ACL evaluations per month without issues. The main challenge is ensuring AWS Config is enabled in all accounts and regions, which they automate via CloudFormation StackSets.
Scenario 2: Security Group Compliance A healthcare organization must ensure that no security group in any account allows inbound SSH (port 22) from 0.0.0.0/0. They create a Firewall Manager security group policy that denies this rule. However, they also need to allow SSH from a specific corporate IP range. They create a 'base' security group with the allowed IP and use Firewall Manager to enforce that all security groups must include this base group. If a developer creates a security group with an open SSH rule, Firewall Manager flags it as noncompliant and, if remediation is enabled, removes the rule. The company runs into issues when developers use inline policies in CloudFormation that bypass the base group; they fix this by using Firewall Manager's 'audit mode' first to identify violations, then enforce after training.
Scenario 3: Network Firewall for VPC Inspection A gaming company uses AWS Network Firewall to inspect east-west traffic across VPCs in multiple accounts. They create a Firewall Manager Network Firewall policy that deploys a common set of domain filtering rules to all VPCs. When a new VPC is created, Firewall Manager automatically deploys the Network Firewall endpoint and associates the rule groups. The company must ensure that the VPCs have the necessary subnets for the firewall endpoints, which they pre-create using a VPC template. Without Firewall Manager, they would have to manually configure Network Firewall in each account, leading to configuration drift.
Exam Focus Section
SAA-C03 Objective 1.3: Secure Architectures – Design secure access to AWS resources. Firewall Manager is specifically tested under this objective, often in scenarios requiring centralized security policy management across multiple accounts.
What the Exam Tests:
Understanding that Firewall Manager is a *centralized management* tool, not a firewall itself.
Knowing the four policy types: AWS WAF, Shield Advanced, Security Groups, Network Firewall.
Recognizing prerequisites: AWS Organizations, AWS Config enabled.
Identifying when to use Firewall Manager vs. AWS Config vs. AWS Organizations SCPs.
Understanding that Firewall Manager can automatically remediate noncompliant resources.
Common Wrong Answers and Why: 1. AWS Config: Candidates confuse Firewall Manager with AWS Config because both deal with compliance. However, AWS Config is a *detective* service that records resource changes and evaluates rules; Firewall Manager is a *preventive* service that enforces policies. If the question asks for automatic enforcement of security group rules across accounts, Firewall Manager is correct; if it asks for auditing changes, AWS Config is correct. 2. AWS Organizations SCPs: SCPs control permissions at the account level, not resource configurations. A question about enforcing specific security group rules is not solved by SCPs. SCPs can prevent users from creating security groups altogether, but they cannot enforce the content of security group rules. 3. AWS WAF alone: If the question involves a single account, AWS WAF might be enough. But if it mentions multiple accounts and centralized management, Firewall Manager is the answer. 4. Third-party firewall: AWS Firewall Manager is native; there is no need for third-party tools. If the question says 'centralized firewall management across accounts', the answer is Firewall Manager.
Specific Numbers and Terms: - 5-minute compliance check interval. - 100 policies per organization. - 10 rule groups per WAF policy. - 'Delegated administrator' is a key term. - 'Resource set' defines scope.
Edge Cases:
Firewall Manager does not support all regions; it is available in most commercial regions but not in China or GovCloud (initially).
It cannot manage security groups for EC2 instances directly; it manages the security group rules themselves.
If a resource is in a region where Firewall Manager is not enabled, it is not evaluated.
How to Eliminate Wrong Answers:
If the scenario does not mention AWS Organizations, eliminate Firewall Manager.
If the requirement is to *detect* noncompliance rather than *enforce*, choose AWS Config.
If the requirement is to control API actions (e.g., prevent creating a security group), choose SCPs.
If the scenario involves a single account, the simpler service (e.g., AWS WAF) is likely correct.
Misconceptions
- Myth: Firewall Manager can manage security groups for EC2 instances directly. Reality: Firewall Manager manages security group *rules* and *groups* as standalone resources; it does not attach security groups to instances. You must still associate the security group with the instance. - Myth: Firewall Manager works without AWS Config. Reality: AWS Config is required for compliance evaluation. Without it, Firewall Manager cannot determine if a resource is compliant. - Myth: Firewall Manager can enforce policies across any AWS account. Reality: It only works within an AWS Organization. Cross-account management outside an organization is not supported. - Myth: Firewall Manager replaces AWS WAF, Shield, or Network Firewall. Reality: It is a management layer; the underlying services still run and incur costs. - Myth: Firewall Manager policies are global. Reality: Policies are region-specific. You must create a policy in each region where you want enforcement.
Comparisons
Firewall Manager vs. AWS Config: Firewall Manager enforces policies and remediates; AWS Config detects and records noncompliance but does not automatically fix it (unless using AWS Config rules with auto-remediation, which is limited). Firewall Manager is proactive; AWS Config is reactive.
Firewall Manager vs. AWS Organizations SCPs: SCPs control what actions users can perform (e.g., 'deny ec2:AuthorizeSecurityGroupIngress'), while Firewall Manager controls the actual configuration of resources (e.g., 'ensure security group does not allow SSH from 0.0.0.0/0'). They complement each other.
Firewall Manager vs. AWS WAF: AWS WAF is a web application firewall that protects individual resources; Firewall Manager centrally manages WAF policies across multiple accounts and resources.
Key Takeaways
Firewall Manager is a centralized policy management service for AWS WAF, Shield Advanced, Security Groups, and Network Firewall.
It requires AWS Organizations and AWS Config.
It automatically applies policies to new and existing resources.
It supports up to 100 policies per organization.
Compliance is checked every 5 minutes.
It does not replace the underlying services; it manages them.
Policies are region-specific.
Delegated administrator allows a member account to manage policies.
Firewall Manager cannot manage security group-to-instance associations.
It is not a substitute for AWS Config or SCPs; it works alongside them.
FAQ
- Q: Does Firewall Manager work across multiple regions? A: Yes, but you must create a policy in each region. Firewall Manager does not automatically replicate policies across regions. - Q: Can Firewall Manager enforce security group rules on existing security groups? A: Yes, it can add rules to existing security groups or replace them with a base security group. However, it cannot remove rules that are not part of the policy unless you use a base security group that overrides. - Q: Do I need AWS Config for Firewall Manager? A: Yes, AWS Config must be enabled in all accounts and regions where you want Firewall Manager to evaluate compliance. - Q: Can I use Firewall Manager without AWS Organizations? A: No, Firewall Manager requires an AWS Organization with all features enabled. - Q: Is Firewall Manager free? A: Firewall Manager itself has no upfront cost, but you pay for the underlying services (WAF, Shield, etc.) and for policy evaluations after the first 100,000 per month. - Q: Can Firewall Manager protect resources in a single account? A: Technically yes, but it is overkill. For a single account, use AWS WAF, Shield, or security groups directly. - Q: What is a delegated administrator? A: It is a member account that you designate to manage Firewall Manager policies, reducing the use of the management account.
Quiz
- Q: A company has 100 AWS accounts in an organization. They want to ensure that all Application Load Balancers are protected by a common set of AWS WAF rules, and that any new ALB automatically gets these rules. Which service should they use? A: AWS Firewall Manager. It centrally manages WAF policies across accounts and automatically applies them to new resources. - Q: Which of the following is a prerequisite for using AWS Firewall Manager? A: AWS Organizations with all features enabled and AWS Config enabled in all accounts. - Q: A security team wants to detect when a security group allows inbound SSH from 0.0.0.0/0, but they do not want to automatically fix it. Which service should they use? A: AWS Config with a managed rule (e.g., 'restricted-ssh'). Firewall Manager is for enforcement, not just detection. - Q: True or False: Firewall Manager can manage security group associations with EC2 instances. A: False. It manages security group rules and groups, not the attachment to instances. - Q: How often does Firewall Manager check compliance? A: Every 5 minutes.
Meta
meta_title: AWS Firewall Manager SAA-C03 Study Guide | Courseiva
meta_description: Master AWS Firewall Manager for SAA-C03 exam: centralized policy management for WAF, Shield, security groups, and Network Firewall across accounts.
estimated_read_minutes: 25
Enable AWS Organizations
Before using Firewall Manager, you must have an AWS Organization with all features enabled. This allows Firewall Manager to discover all accounts and resources across the organization. The management account is used to create and manage policies, although you can designate a delegated administrator account. Ensure that all member accounts are invited and accepted. This step is foundational; without it, Firewall Manager cannot operate.
Enable AWS Config
AWS Config must be enabled in all accounts and regions where you want Firewall Manager to evaluate compliance. Firewall Manager uses AWS Config rules to check whether resources comply with policies. You can enable AWS Config via the console, CLI, or using CloudFormation StackSets to automate across accounts. AWS Config records resource configurations and changes, which Firewall Manager queries to determine compliance status.
Create a Firewall Manager Policy
In the Firewall Manager console, choose a policy type: AWS WAF, Shield Advanced, Security Groups, or Network Firewall. Define the policy rules by selecting rule groups (for WAF/Network Firewall) or specifying security group rules. Set the resource set to target specific resource types (e.g., ALB) or resources with specific tags. Choose remediation action: 'Apply' to automatically enforce, or 'Monitor' to only report noncompliance.
Policy Evaluation and Remediation
Firewall Manager scans all accounts in the organization every 5 minutes to identify resources within the policy's scope. It evaluates each resource against the policy rules using AWS Config. If a resource is noncompliant and remediation is enabled, Firewall Manager automatically applies the policy. For example, for a WAF policy, it attaches the web ACL to the ALB. For security group policies, it adds the required rules to the security group.
Monitor Compliance
After policy creation, monitor compliance via the Firewall Manager dashboard. You can view a summary of compliant and noncompliant resources per policy. For detailed information, use the AWS Config console or the Firewall Manager API. If you chose 'Monitor' remediation, you must manually fix noncompliant resources. Firewall Manager also sends events to Amazon EventBridge for integration with other automation.
Scenario 1: Multi-Account Web Application Firewall A financial services company has 50 AWS accounts, each hosting multiple web applications behind Application Load Balancers. They need to enforce a common set of OWASP Top 10 rules (e.g., SQL injection, XSS) across all ALBs. Using Firewall Manager, they create a single AWS WAF policy with managed rule groups. The policy targets all ALBs in all accounts. When a developer creates a new ALB in a member account, Firewall Manager automatically attaches the web ACL within minutes. If a developer accidentally detaches the web ACL, Firewall Manager reattaches it. The company also uses Shield Advanced for DDoS protection; Firewall Manager enables Shield Advanced on all accounts and configures the same WAF rules for rate limiting. In production, they handle over 10,000 web ACL evaluations per month without issues. The main challenge is ensuring AWS Config is enabled in all accounts and regions, which they automate via CloudFormation StackSets.
Scenario 2: Security Group Compliance A healthcare organization must ensure that no security group in any account allows inbound SSH (port 22) from 0.0.0.0/0. They create a Firewall Manager security group policy that denies this rule. However, they also need to allow SSH from a specific corporate IP range. They create a 'base' security group with the allowed IP and use Firewall Manager to enforce that all security groups must include this base group. If a developer creates a security group with an open SSH rule, Firewall Manager flags it as noncompliant and, if remediation is enabled, removes the rule. The company runs into issues when developers use inline policies in CloudFormation that bypass the base group; they fix this by using Firewall Manager's 'audit mode' first to identify violations, then enforce after training.
Scenario 3: Network Firewall for VPC Inspection A gaming company uses AWS Network Firewall to inspect east-west traffic across VPCs in multiple accounts. They create a Firewall Manager Network Firewall policy that deploys a common set of domain filtering rules to all VPCs. When a new VPC is created, Firewall Manager automatically deploys the Network Firewall endpoint and associates the rule groups. The company must ensure that the VPCs have the necessary subnets for the firewall endpoints, which they pre-create using a VPC template. Without Firewall Manager, they would have to manually configure Network Firewall in each account, leading to configuration drift.
SAA-C03 Objective 1.3: Secure Architectures – Design secure access to AWS resources. Firewall Manager is specifically tested under this objective, often in scenarios requiring centralized security policy management across multiple accounts.
What the Exam Tests:
Understanding that Firewall Manager is a *centralized management* tool, not a firewall itself.
Knowing the four policy types: AWS WAF, Shield Advanced, Security Groups, Network Firewall.
Recognizing prerequisites: AWS Organizations, AWS Config enabled.
Identifying when to use Firewall Manager vs. AWS Config vs. AWS Organizations SCPs.
Understanding that Firewall Manager can automatically remediate noncompliant resources.
Common Wrong Answers and Why: 1. AWS Config: Candidates confuse Firewall Manager with AWS Config because both deal with compliance. However, AWS Config is a *detective* service that records resource changes and evaluates rules; Firewall Manager is a *preventive* service that enforces policies. If the question asks for automatic enforcement of security group rules across accounts, Firewall Manager is correct; if it asks for auditing changes, AWS Config is correct. 2. AWS Organizations SCPs: SCPs control permissions at the account level, not resource configurations. A question about enforcing specific security group rules is not solved by SCPs. SCPs can prevent users from creating security groups altogether, but they cannot enforce the content of security group rules. 3. AWS WAF alone: If the question involves a single account, AWS WAF might be enough. But if it mentions multiple accounts and centralized management, Firewall Manager is the answer. 4. Third-party firewall: AWS Firewall Manager is native; there is no need for third-party tools. If the question says 'centralized firewall management across accounts', the answer is Firewall Manager.
Specific Numbers and Terms: - 5-minute compliance check interval. - 100 policies per organization. - 10 rule groups per WAF policy. - 'Delegated administrator' is a key term. - 'Resource set' defines scope.
Edge Cases:
Firewall Manager does not support all regions; it is available in most commercial regions but not in China or GovCloud (initially).
It cannot manage security groups for EC2 instances directly; it manages the security group rules themselves.
If a resource is in a region where Firewall Manager is not enabled, it is not evaluated.
How to Eliminate Wrong Answers:
If the scenario does not mention AWS Organizations, eliminate Firewall Manager.
If the requirement is to *detect* noncompliance rather than *enforce*, choose AWS Config.
If the requirement is to control API actions (e.g., prevent creating a security group), choose SCPs.
If the scenario involves a single account, the simpler service (e.g., AWS WAF) is likely correct.
Firewall Manager is a centralized policy management service for AWS WAF, Shield Advanced, Security Groups, and Network Firewall.
It requires AWS Organizations and AWS Config.
It automatically applies policies to new and existing resources.
It supports up to 100 policies per organization.
Compliance is checked every 5 minutes.
It does not replace the underlying services; it manages them.
Policies are region-specific.
Delegated administrator allows a member account to manage policies.
Firewall Manager cannot manage security group-to-instance associations.
It is not a substitute for AWS Config or SCPs; it works alongside them.
These come up on the exam all the time. Here's how to tell them apart.
AWS Firewall Manager
Centralized policy enforcement across accounts
Automatically remediates noncompliant resources
Requires AWS Organizations and AWS Config
Manages WAF, Shield, Security Groups, Network Firewall
Proactive compliance maintenance
AWS Config
Records resource configuration changes
Detects noncompliance but does not automatically fix (unless auto-remediation is configured)
Works in single or multiple accounts without Organizations
Evaluates rules against any resource type
Reactive auditing and change tracking
Mistake
Firewall Manager can manage security groups for EC2 instances directly.
Correct
Firewall Manager manages security group rules and groups as standalone resources; it does not attach security groups to instances. You must still associate the security group with the instance.
Mistake
Firewall Manager works without AWS Config.
Correct
AWS Config is required for compliance evaluation. Without it, Firewall Manager cannot determine if a resource is compliant.
Mistake
Firewall Manager can enforce policies across any AWS account.
Correct
It only works within an AWS Organization. Cross-account management outside an organization is not supported.
Mistake
Firewall Manager replaces AWS WAF, Shield, or Network Firewall.
Correct
It is a management layer; the underlying services still run and incur costs.
Mistake
Firewall Manager policies are global.
Correct
Policies are region-specific. You must create a policy in each region where you want enforcement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but you must create a policy in each region. Firewall Manager does not automatically replicate policies across regions. You need to define the policy in each region where you want enforcement.
Yes, it can add rules to existing security groups or replace them with a base security group. However, it cannot remove rules that are not part of the policy unless you use a base security group that overrides. The base security group defines the allowed rules; any rules not in the base group are removed.
Yes, AWS Config must be enabled in all accounts and regions where you want Firewall Manager to evaluate compliance. Firewall Manager uses AWS Config rules to check resource configurations against policies.
No, Firewall Manager requires an AWS Organization with all features enabled. It cannot manage resources in standalone accounts.
Firewall Manager itself has no upfront cost, but you pay for the underlying services (WAF, Shield, etc.) and for policy evaluations after the first 100,000 per month. The current pricing is $0.001 per evaluation thereafter.
Technically yes, but it is overkill. For a single account, use AWS WAF, Shield, or security groups directly. Firewall Manager is designed for multi-account management.
A delegated administrator is a member account that you designate to manage Firewall Manager policies, reducing the use of the management account. This follows security best practices by limiting access to the management account.
You've just covered AWS Firewall Manager — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?