Step 3: Enable Amazon Config - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Enable Amazon Config

To use Firewall Manager, you must enable Amazon Config.

Note

You incur charges for your Amazon Config settings, according to Amazon Config pricing. For more information, see Getting Started with Amazon Config.

Note

In order for Firewall Manager to monitor policy compliance, Amazon Config must continuously record configuration changes for protected resources. In your Amazon Config configuration, the recording frequency must be set to Continuous, which is the default setting.

To enable Amazon Config for Firewall Manager

  1. Enable Amazon Config for each of your Amazon Organizations member accounts, including the Firewall Manager administrator account. For more information, see Getting Started with Amazon Config.

  2. Enable Amazon Config for each Amazon Web Services Region that contains the resources that you want to protect. You can enable Amazon Config manually, or you can use the Amazon CloudFormation template "Enable Amazon Config" at Amazon CloudFormation StackSets Sample Templates.

    If you don't want to enable Amazon Config for all resources, then you must enable the following according to the type of Firewall Manager policies that you use:

    • WAF policy – Enable Config for the resource types CloudFront Distribution, Application Load Balancer (choose ElasticLoadBalancingV2 from the list), API Gateway, WAF WebACL, WAF Regional WebACL, and WAFv2 WebACL. To enable Amazon Config to protect a CloudFront distribution, you must be in the US East (N. Virginia) Region. Other Regions don't have CloudFront as an option.

    • Shield policy – Enable Config for the resource types Shield Protection, ShieldRegional Protection, Application Load Balancer, EC2 EIP, WAF WebACL, WAF Regional WebACL, and WAFv2 WebACL.

    • Security group policy – Enable Config for the resource types EC2 SecurityGroup, EC2 Instance, and EC2 NetworkInterface.

    • Network ACL policy – Enable Config for the resource types Amazon EC2 Subnet and Amazon EC2 network ACL.

    • Network Firewall policy – Enable Config for the resource types NetworkFirewall FirewallPolicy, NetworkFirewall RuleGroup, EC2 VPC, EC2 InternetGateway, EC2 RouteTable, and EC2 Subnet.

    • DNS Firewall policy – Enable Config for the resource type EC2 VPC.

    • Third-party firewall policy – Enable Config for the resource types Amazon EC2 VPC, Amazon EC2 InternetGateway, Amazon EC2 RouteTable, Amazon EC2 Subnet, and Amazon EC2 VPCEndpoint.

    Note

    If you configure your Amazon Config recorder to use a custom IAM role, you need to make sure the IAM policy has the proper permissions to record the Firewall Manager policy's required resource types. Without the proper permissions, the required resources may not be recorded which prevents Firewall Manager from properly protecting your resources. Firewall Manager doesn't have visibility into these permission misconfigurations. For information about using IAM with Amazon Config, see IAM for Amazon Config.