This chapter covers AWS Firewall Manager, a security management service that centrally configures and enforces firewall rules across accounts and resources in an AWS Organization. For the SOA-C02 exam, Firewall Manager appears in Domain 4 (Security) under Objective 4.2 (Implement and manage security services). Approximately 5-8% of exam questions touch on Firewall Manager, often comparing it to AWS WAF, Shield, and security groups, and testing your understanding of its policy types, remediation actions, and integration with AWS Organizations. Mastering this topic is critical for scenarios requiring centralized security policy enforcement in multi-account environments.
Jump to a section
Think of a large corporation with dozens of branch offices, each with its own security guard stationed at the entrance. The guards have a list of rules about who can enter, but each branch has been writing its own rules independently. Some branches allow visitors with just a badge, others require a background check, and some have no rules at all. This inconsistency creates security gaps. Now, the corporation hires a central security policy office. This office drafts a single, company-wide security policy manual. It then distributes that manual to every branch's guard. If a branch deviates from the manual, the central office automatically sends an updated manual and enforces compliance. The guards no longer create their own rules; they only follow the central manual. In AWS, Firewall Manager is that central policy office. It defines a single set of firewall rules (like AWS WAF rules or security group rules) and applies them across all accounts in an AWS Organization. If a new account joins, Firewall Manager automatically enforces the policy. If an administrator in a member account tries to modify a security group that is under policy, Firewall Manager can auto-remediate it, reverting the change just like the central office sending a correction to a branch guard. The key mechanism is that Firewall Manager does not act on traffic directly; it acts on the configuration of firewalls across accounts, ensuring consistent enforcement.
What is AWS Firewall Manager and Why It Exists
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across accounts and resources in an AWS Organization. It simplifies administration by enabling you to define a single set of security policies—such as AWS WAF rules, AWS Shield Advanced protections, security group rules, and network firewall policies—and then automatically apply those policies across all accounts in your organization. Without Firewall Manager, each account administrator would need to manually configure and maintain firewall rules, leading to inconsistencies, misconfigurations, and security gaps. Firewall Manager ensures that security policies are uniformly enforced, even as new accounts are added or existing resources are created.
How It Works Internally
Firewall Manager operates by using AWS Organizations to discover accounts and resources within your organization. You first designate an account as the Firewall Manager administrator account. This account has permission to create and manage policies that are applied to member accounts. When you create a policy, you specify the accounts and resources to which it applies—either all accounts in the organization, specific organizational units (OUs), or individual accounts. You also define the resource type (e.g., Application Load Balancer, CloudFront distribution, security group) and the rules to enforce.
Once a policy is created, Firewall Manager continuously evaluates the compliance of the target resources. If a resource is non-compliant (e.g., a security group has an allowed inbound rule that violates the policy), Firewall Manager can automatically remediate by modifying the resource to match the policy. This remediation is configurable: you can choose to auto-remediate or only report non-compliance. The service uses AWS Config rules and AWS Lambda functions behind the scenes to detect and remediate violations.
Key Components, Values, Defaults, and Timers
Policy Types: Firewall Manager supports several policy types:
AWS WAF: Manage web ACLs for Application Load Balancers, API Gateways, CloudFront distributions, and AWS AppSync.
AWS Shield Advanced: Enable Shield Advanced protections for resources like ELB, CloudFront, Route 53, and Global Accelerator.
Security Groups: Define a common set of security group rules for EC2 instances, ENIs, and managed services like RDS or ElastiCache. You can create first-party (common) security groups or audit security group usage.
AWS Network Firewall: Deploy and manage Network Firewall policies across VPCs.
Amazon Route 53 Resolver DNS Firewall: Manage DNS firewall rules.
Policy Scope: You can scope policies to:
- All accounts in the organization - Specific OUs - Individual accounts - Exclude specific accounts or resources
- Remediation Options: For each policy, you can set: - Auto-remediate: Automatically fix non-compliant resources. - Report only: Only log non-compliance events (via AWS Config).
Evaluation Frequency: Firewall Manager evaluates compliance every 30 minutes. Changes to resources or policies trigger an immediate evaluation.
Default Limits:
Maximum number of Firewall Manager policies per organization: 10 (soft limit, can be increased via support request).
Maximum number of security group rules per policy: 100.
Maximum number of AWS WAF rules per policy: 10 (can be increased).
Configuration and Verification Commands
Firewall Manager is primarily managed via the AWS Management Console, AWS CLI, or SDK. Key AWS CLI commands:
- Associate an administrator account:
aws organizations register-delegated-administrator --account-id 123456789012 --service-principal firewallmanager.amazonaws.com- Create a policy:
aws fms put-policy --policy-name MyWAFPolicy --policy-type WAF --security-service-policy-data file://policy.json- List policies:
aws fms list-policies- Get compliance status:
aws fms get-compliance-detail --policy-id <policy-id> --member-account <account-id>Interaction with Related Technologies
Firewall Manager integrates deeply with: - AWS Organizations: Required to use Firewall Manager. You must enable all features in Organizations and register a delegated administrator for Firewall Manager. - AWS Config: Firewall Manager uses Config rules to evaluate compliance. You must enable AWS Config in all member accounts. - AWS WAF & Shield: Firewall Manager can create and manage WAF web ACLs and Shield Advanced protections. - Amazon CloudWatch: Logs and metrics are sent to CloudWatch for monitoring. - AWS Lambda: Used for auto-remediation actions.
Exam-Relevant Details
Firewall Manager does not inspect traffic; it only manages firewall configurations.
You cannot use Firewall Manager without AWS Organizations.
Security group policies can be either common (enforce a set of rules) or audit (monitor for specific rules).
Firewall Manager supports cross-account and cross-region policy enforcement (for global services like CloudFront).
When using auto-remediation, Firewall Manager uses a service-linked role named AWSServiceRoleForFMS.
The service is available in all commercial AWS regions, but some policy types may have regional limitations (e.g., Network Firewall is not available in all regions).
Enable AWS Organizations
Before using Firewall Manager, you must have an AWS Organization with all features enabled. This is a prerequisite because Firewall Manager needs to discover accounts and apply policies across the organization. If you have a consolidated billing organization, you must upgrade to all features. This step involves creating the organization from the management account or inviting existing accounts. Once enabled, you can register a delegated administrator for Firewall Manager. Without this, Firewall Manager cannot function. On the exam, remember that only the management account can designate a delegated administrator.
Designate Firewall Manager Admin
The management account delegates an administrator account for Firewall Manager. This account will create and manage policies. The delegated administrator must have the necessary permissions (via IAM) to access Firewall Manager and manage resources across accounts. The management account can also act as the administrator, but best practice is to delegate to a specific security account. The delegation is done via the Organizations console or CLI. Once designated, the admin account can start using Firewall Manager. Note: Only one account can be the Firewall Manager administrator at a time.
Enable AWS Config in Member Accounts
Firewall Manager uses AWS Config to evaluate resource compliance. You must enable AWS Config in every member account and region where you want to enforce policies. Config records resource configurations and changes. Firewall Manager creates Config rules automatically when you create a policy. If Config is not enabled, Firewall Manager cannot detect non-compliant resources. On the exam, this is a common oversight: candidates forget that Config must be enabled. Also, ensure that the Config recording is active for the resource types you intend to manage (e.g., security groups, load balancers).
Create a Firewall Manager Policy
In the Firewall Manager console (or CLI), you create a policy by specifying the policy type (e.g., WAF, Shield, Security Group), the scope (accounts/OUs), and the rules. For WAF, you define a web ACL with rules. For security groups, you define a base set of rules that all security groups must adhere to. You also choose remediation action: auto-remediate or report only. Once created, Firewall Manager applies the policy to all in-scope resources. The policy is evaluated every 30 minutes, and any new resource that comes into scope is automatically checked. If auto-remediation is enabled, non-compliant resources are corrected immediately.
Monitor Compliance and Remediate
After policy creation, Firewall Manager continuously monitors compliance. You can view the compliance status in the console: it shows the number of accounts, resources, and whether they are compliant. For non-compliant resources, you can see the specific violations. If auto-remediation is on, the service automatically fixes the resource—for example, removing an unauthorized rule from a security group. If only reporting is enabled, you must manually fix issues. Firewall Manager also sends events to CloudWatch and AWS Config for auditing. On the exam, know that auto-remediation uses a Lambda function behind the scenes, and you can customize the remediation behavior.
In a large enterprise with hundreds of AWS accounts, maintaining consistent security group rules is a nightmare. Without Firewall Manager, each account team might open ports like 22 (SSH) or 3389 (RDP) to the world (0.0.0.0/0) for convenience, creating massive security risks. A common scenario is a financial services company that must comply with PCI DSS. They use Firewall Manager to enforce a security group policy that prohibits any inbound rule allowing 0.0.0.0/0 on ports other than 80 and 443. The policy is scoped to all accounts in the production OU. When a developer creates a new EC2 instance and attaches a security group with an open SSH rule, Firewall Manager detects the violation within 30 minutes and auto-remediates by removing the offending rule. The developer gets a notification via CloudWatch and can adjust their configuration. Another scenario involves a global e-commerce platform using CloudFront and ALBs. They use Firewall Manager to deploy a common AWS WAF web ACL that blocks SQL injection and cross-site scripting attacks. The policy applies to all CloudFront distributions and ALBs across accounts. When a new account is added to the organization, Firewall Manager automatically attaches the web ACL to any existing and new resources. This ensures consistent protection without manual intervention. Performance-wise, Firewall Manager is lightweight because it only manages configuration, not traffic. However, if you have thousands of resources, the 30-minute evaluation window might be too slow for critical changes. In such cases, you can trigger immediate evaluation by making a change to the policy. Misconfiguration often occurs when the delegated administrator account lacks proper IAM permissions, causing policy creation to fail. Also, if AWS Config is not enabled in a member account, Firewall Manager will report that account as non-compliant but cannot remediate. Another common issue is scoping: if you apply a security group policy to an account that has resources in a region where Config is not enabled, those resources are ignored. Always ensure Config is enabled in all target regions.
The SOA-C02 exam tests Firewall Manager under Objective 4.2 'Implement and manage security services'. Expect 2-3 questions that may ask you to identify the correct service for a scenario (Firewall Manager vs. AWS Config vs. AWS Organizations) or to understand the prerequisites and limitations. The most common wrong answer is choosing AWS Config instead of Firewall Manager when the question asks for 'centralized policy enforcement across accounts'. AWS Config is a compliance auditing tool, not a policy enforcement service. Another trap is assuming Firewall Manager can manage security groups for EC2 instances directly—it manages security group rules, not the security groups themselves. Also, many candidates think Firewall Manager works without AWS Organizations, but it is a strict prerequisite. The exam loves to test the difference between 'auto-remediate' and 'report only' remediation modes. Know that auto-remediation requires a service-linked role and uses Lambda. Specific numbers: the default evaluation interval is 30 minutes. The maximum number of policies is 10 (soft limit). The security group rule limit per policy is 100. Edge cases: Firewall Manager can manage resources across regions but only for global services like CloudFront; for regional services like ALB, you need a policy per region. Also, Firewall Manager does not support all resource types—e.g., it cannot manage Network ACLs. To eliminate wrong answers, ask: 'Does this scenario require centralized policy enforcement across multiple accounts?' If yes, Firewall Manager is likely correct. If the scenario is about auditing a single account, AWS Config is more appropriate. If it's about managing user permissions, use IAM.
Firewall Manager requires AWS Organizations with all features enabled and a delegated administrator account.
AWS Config must be enabled in all member accounts and regions where Firewall Manager policies are enforced.
Firewall Manager supports five policy types: AWS WAF, AWS Shield Advanced, Security Groups, AWS Network Firewall, and Route 53 Resolver DNS Firewall.
The default compliance evaluation interval is 30 minutes; changes trigger immediate evaluation.
Auto-remediation uses a service-linked role (AWSServiceRoleForFMS) and Lambda functions behind the scenes.
Security group policies can be common (enforce rules) or audit (monitor for specific rules).
Firewall Manager does not inspect traffic; it only manages firewall configurations.
Policy scope can be all accounts, specific OUs, or individual accounts, with exclusions possible.
Maximum of 10 Firewall Manager policies per organization (soft limit).
For regional services, create one policy per region; for global services like CloudFront, one policy covers all regions.
These come up on the exam all the time. Here's how to tell them apart.
AWS Firewall Manager
Centrally enforces security policies across multiple accounts in an organization.
Can auto-remediate non-compliant resources (e.g., remove unauthorized security group rules).
Requires AWS Organizations and a delegated administrator.
Manages specific policy types: WAF, Shield, Security Groups, Network Firewall, DNS Firewall.
Evaluates compliance every 30 minutes and on changes.
AWS Config
Audits resource configurations for compliance with rules (e.g., required tags, encryption).
Cannot auto-remediate; only sends notifications (via SNS) or triggers Lambda for custom remediation.
Works within a single account or across accounts via aggregators, but not as a centralized policy engine.
Manages any resource type supported by AWS Config (e.g., EC2, S3, IAM).
Evaluates compliance on configuration changes and periodically (configurable).
Mistake
Firewall Manager can inspect network traffic and block malicious requests.
Correct
Firewall Manager does not inspect traffic. It only manages the configuration of firewall services like AWS WAF, Shield, and security groups. Traffic inspection is performed by those underlying services.
Mistake
You can use Firewall Manager without enabling AWS Organizations.
Correct
Firewall Manager requires AWS Organizations with all features enabled. It relies on Organizations to discover accounts and apply policies centrally. Without Organizations, Firewall Manager cannot function.
Mistake
Firewall Manager automatically enables AWS Config in member accounts.
Correct
Firewall Manager does not enable Config. You must manually enable AWS Config in each member account and region where you want to enforce policies. Firewall Manager uses Config to evaluate compliance.
Mistake
Firewall Manager policies can be applied to individual resources like a single EC2 instance.
Correct
Firewall Manager policies are applied at the account or OU level, not to individual resources. They affect all eligible resources of the specified type (e.g., all security groups) in the target accounts.
Mistake
Firewall Manager can manage security groups for EC2 instances in a VPC across all regions with a single policy.
Correct
Security group policies are regional. You must create a policy per region if you want to enforce rules in multiple regions. Only global services like CloudFront can be managed across regions with one policy.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The prerequisites are: (1) AWS Organizations with all features enabled, (2) a designated Firewall Manager administrator account (can be the management account or a delegated one), and (3) AWS Config enabled in all member accounts and regions where you want to enforce policies. Also, you need appropriate IAM permissions to create policies and manage resources. Without these, Firewall Manager cannot discover accounts or evaluate compliance.
AWS WAF is a web application firewall that protects your web applications from common attacks by inspecting HTTP requests. Firewall Manager is a centralized policy management service that can create and enforce WAF rules across multiple accounts. In short, WAF is the actual firewall; Firewall Manager is the tool that ensures WAF is consistently applied. You can use WAF without Firewall Manager, but Firewall Manager requires WAF (or other services) to enforce its policies.
Yes, Firewall Manager can manage security group rules. You can create a security group policy that defines a set of allowed or denied rules. This policy is then applied to all security groups in the target accounts. Firewall Manager can also audit security groups to detect rules that violate the policy. However, it does not create or delete security groups; it only modifies rules within existing security groups.
If AWS Config is disabled in a member account, Firewall Manager cannot evaluate compliance for resources in that account. The account will appear as non-compliant in the Firewall Manager console, and auto-remediation will not work. To resolve this, you must re-enable AWS Config in that account. Firewall Manager does not automatically enable Config; it relies on it being already enabled.
Yes, but with limitations. For global services like Amazon CloudFront and AWS Shield Advanced, a single policy applies across all regions. For regional services like Application Load Balancers and security groups, you must create a separate policy for each region where you want enforcement. Firewall Manager policies are regional by default, so you need to create the policy in each region.
When creating a policy, under 'Remediation action', select 'Auto-remediate'. This instructs Firewall Manager to automatically fix non-compliant resources. For example, if a security group has an unauthorized rule, Firewall Manager will remove it. The service uses a Lambda function and the AWSServiceRoleForFMS role to perform remediation. You can also customize the remediation by specifying a custom Lambda function.
A common security group policy defines a baseline set of rules that all security groups must have (e.g., allow HTTP on port 80). Firewall Manager will add these rules to any security group that is missing them. An audit security group policy only monitors for specific rules (e.g., detect any security group that allows SSH from 0.0.0.0/0) and reports non-compliance without making changes. Audit policies are useful for visibility without enforcement.
You've just covered AWS Firewall Manager — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?