Firewall Manager examples using Amazon CLI - Amazon Command Line Interface
Actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Firewall Manager examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Firewall Manager.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.

Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use associate-admin-account.

Amazon CLI

To set the Firewall Manager administrator account

The following associate-admin-account example sets the administrator account for Firewall Manager.

aws fms associate-admin-account \
    --admin-account 123456789012

This command produces no output.

For more information, see Set the Amazon Firewall Manager Administrator Account in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use delete-notification-channel.

Amazon CLI

To remove the SNS topic information for Firewall Manager logs

The following delete-notification-channel example removes the SNS topic information.

aws fms delete-notification-channel

This command produces no output.

For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use delete-policy.

Amazon CLI

To delete a Firewall Manager policy

The following delete-policy example removes the policy with the specified ID, along with all of its resources.

aws fms delete-policy \
    --policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --delete-all-policy-resources

This command produces no output.

For more information, see Working with Amazon Firewall Manager Policies in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

  • For API details, see DeletePolicy in Amazon CLI Command Reference.

The following code example shows how to use disassociate-admin-account.

Amazon CLI

To remove the Firewall Manager administrator account

The following disassociate-admin-account example removes the current administrator account association from Firewall Manager.

aws fms disassociate-admin-account

This command produces no output.

For more information, see Set the Amazon Firewall Manager Administrator Account in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use get-admin-account.

Amazon CLI

To retrieve the Firewall Manager administrator account

The following get-admin-account example retrieves the administrator account.

aws fms get-admin-account

Output:

{
    "AdminAccount": "123456789012",
    "RoleStatus": "READY"
}

For more information, see Amazon Firewall Manager Prerequisites in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use get-compliance-detail.

Amazon CLI

To retrieve the compliance information for an account

The following get-compliance-detail example retrieves compliance information for the specified policy and member account.

aws fms get-compliance-detail \
    --policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --member-account 123456789012

Output:

{
    "PolicyComplianceDetail": {
    "EvaluationLimitExceeded": false,
    "IssueInfoMap": {},
    "MemberAccount": "123456789012",
    "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "PolicyOwner": "123456789012",
    "Violators": []
}

For more information, see Viewing Resource Compliance with a Policy in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use get-notification-channel.

Amazon CLI

To retrieve the SNS topic information for Firewall Manager logs

The following get-notification-channel example retrieves the SNS topic information.

aws fms get-notification-channel

Output:

{
    "SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:us-west-2-fms",
    "SnsRoleName": "arn:aws:iam::123456789012:role/aws-service-role/fms.amazonaws.com/AWSServiceRoleForFMS"
}

For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use get-policy.

Amazon CLI

To retrieve a Firewall Manager policy

The following get-policy example retrieves the policy with the specified ID.

aws fms get-policy \
    --policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111

Output:

{
    "Policy": {
        "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "PolicyName": "test",
        "PolicyUpdateToken": "1:p+2RpKR4wPFx7mcrL1UOQQ==",
        "SecurityServicePolicyData": {
            "Type": "SECURITY_GROUPS_COMMON",
            "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":true,\"exclusiveResourceSecurityGroupManagement\":false,\"securityGroups\":[{\"id\":\"sg-045c43ccc9724e63e\"}]}"
        },
        "ResourceType": "AWS::EC2::Instance",
        "ResourceTags": [],
        "ExcludeResourceTags": false,
        "RemediationEnabled": false
    },
    "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/d1ac59b8-938e-42b3-b2e0-7c620422ddc2"
}

For more information, see Working with Amazon Firewall Manager Policies in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

  • For API details, see GetPolicy in Amazon CLI Command Reference.

The following code example shows how to use list-compliance-status.

Amazon CLI

To retrieve the policy compliance information for member accounts

The following list-compliance-status example retrieves member account compliance information for the specified policy.

aws fms list-compliance-status \
    --policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111

Output:

{
    "PolicyComplianceStatusList": [
        {
            "PolicyOwner": "123456789012",
            "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "PolicyName": "test",
            "MemberAccount": "123456789012",
            "EvaluationResults": [
                {
                    "ComplianceStatus": "COMPLIANT",
                    "ViolatorCount": 0,
                    "EvaluationLimitExceeded": false
                },
                {
                    "ComplianceStatus": "NON_COMPLIANT",
                    "ViolatorCount": 2,
                    "EvaluationLimitExceeded": false
                }
            ],
            "LastUpdated": 1576283774.0,
            "IssueInfoMap": {}
        }
    ]
}

For more information, see Viewing Resource Compliance with a Policy in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use list-member-accounts.

Amazon CLI

To retrieve the member accounts in the organization

The following list-member-accounts example lists all of the member accounts that are in the Firewall Manager administrator's organization.

aws fms list-member-accounts

Output:

{
    "MemberAccounts": [
        "222222222222",
        "333333333333",
        "444444444444"
    ]
}

For more information, see Amazon Firewall Manager in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use list-policies.

Amazon CLI

To retrieve all Firewall Manager policies

The following list-policies example retrieves the list of policies for the account. In this example, the output is limited to two results per request. Each call returns a NextToken that can be used as the value for the --starting-token parameter in the next list-policies call to get the next set of results for the list.

aws fms list-policies \
    --max-items 2

Output:

{
    "PolicyList": [
        {
            "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "PolicyName": "test",
            "ResourceType": "AWS::EC2::Instance",
            "SecurityServiceType": "SECURITY_GROUPS_COMMON",
            "RemediationEnabled": false
        },
        {
            "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
            "PolicyId": "457c9b21-fc94-406c-ae63-21217395ba72",
            "PolicyName": "test",
            "ResourceType": "AWS::EC2::Instance",
            "SecurityServiceType": "SECURITY_GROUPS_COMMON",
            "RemediationEnabled": false
        }
    ],
    "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="
}

For more information, see Working with Amazon Firewall Manager Policies in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

  • For API details, see ListPolicies in Amazon CLI Command Reference.

The following code example shows how to use put-notification-channel.

Amazon CLI

To set the SNS topic information for Firewall Manager logs

The following put-notification-channel example sets the SNS topic information.

aws fms put-notification-channel \
    --sns-topic-arn arn:aws:sns:us-west-2:123456789012:us-west-2-fms \
    --sns-role-name arn:aws:iam::123456789012:role/aws-service-role/fms.amazonaws.com/AWSServiceRoleForFMS

This command produces no output.

For more information, see Configure Amazon SNS Notifications and Amazon CloudWatch Alarms in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

The following code example shows how to use put-policy.

Amazon CLI

To create a Firewall Manager policy

The following put-policy example creates a Firewall Manager security group policy.

aws fms put-policy \
    --cli-input-json file://policy.json

Contents of policy.json:

{
    "Policy": {
        "PolicyName": "test",
        "SecurityServicePolicyData": {
            "Type": "SECURITY_GROUPS_USAGE_AUDIT",
            "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":false,\"coalesceRedundantSecurityGroups\":true}"
        },
        "ResourceType": "AWS::EC2::SecurityGroup",
        "ResourceTags": [],
        "ExcludeResourceTags": false,
        "RemediationEnabled": false
    },
    "TagList": [
        {
            "Key": "foo",
            "Value": "foo"
        }
    ]
}

Output:

{
    "Policy": {
        "PolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "PolicyName": "test",
        "PolicyUpdateToken": "1:X9QGexP7HASDlsFp+G31Iw==",
        "SecurityServicePolicyData": {
            "Type": "SECURITY_GROUPS_USAGE_AUDIT",
            "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":false,\"coalesceRedundantSecurityGroups\":true,\"optionalDelayForUnusedInMinutes\":null}"
        },
        "ResourceType": "AWS::EC2::SecurityGroup",
        "ResourceTags": [],
        "ExcludeResourceTags": false,
        "RemediationEnabled": false
    },
    "PolicyArn": "arn:aws:fms:us-west-2:123456789012:policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}

For more information, see Working with Amazon Firewall Manager Policies in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.

  • For API details, see PutPolicy in Amazon CLI Command Reference.