Working with Amazon Firewall Manager administrators - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Amazon Firewall Manager administrators

With Amazon Firewall Manager you can have one or multiple administrators who can manage the firewall resources of your organization. If you want to use multiple Firewall Manager administrators in your organization, you can apply administrative scope conditions to each administrator to define the resources that they can manage. This gives you the flexibility to have different administrator roles within your organization, and helps you maintain the principal of least privileged access. For example, you can have one administrator manage a set of organizational units (OUs) for your organization, while delegating another administrator to manage only specific Firewall Manager policy types. For more information about Organizations and management accounts, see Managing the Amazon Accounts in Your Organization.

For the maximum number of administrators that you can have per organization, see Amazon Firewall Manager quotas

Getting started using Firewall Manager administrators

Before you begin using Firewall Manager administrators, you must complete the prerequisites listed in Amazon Firewall Manager prerequisites. In the prerequisites, you'll onboard an Amazon Organizations organization to Firewall Manager and create a default administrator account for Firewall Manager. A default administrator account has the ability to manage third-party firewalls and has full administrative scope.

Administrative scope

Administrative scope defines the resources that the Firewall Manager administrator can manage. After an Amazon Organizations management account onboards an organization to Firewall Manager, the management account can create additional Firewall Manager administrators with different administrative scopes. An Amazon Organizations management account can either grant the administrator full or restricted administrative scope. Full scope gives the administrator full access to all of the preceding resource types. Restricted scope refers to granting administrative permission to only a subset of the preceding resources. We recommend that you only grant administrators the permissions they need to perform the duties of their role. You can apply any combination of these administrative scope conditions to an administrator:

  • Accounts or OUs in your organization that the administrator can apply policies to.

  • Regions that the administrator can perform actions in.

  • Firewall Manager policy types that the administrator can manage.

Administrator roles

There are two types of administrator roles in Firewall Manager: a default administrator, and Firewall Manager administrators.

  • Default administrator - The organization's management account creates a Firewall Manager default administrator account when they onboard their organization to Firewall Manager while completing the Amazon Firewall Manager prerequisites. The default administrator can manage third-party firewalls and has full administrative scope, but is otherwise at the same peer level as other administrators, if you choose to have multiple administrators.

  • Firewall Manager administrators - A Firewall Manager administrator can manage the resources that the Amazon Organizations management account designates for them in their administrative scope configuration. For the maximum number of administrators that you can have per organization, see Amazon Firewall Manager quotas. Upon creation of a Firewall Manager administrator account, the service checks with Amazon Organizations to see if the account is already a delegated administrator for Firewall Manager within the organization. If not, then Firewall Manager calls Organizations to set the account as a delegated administrator for Firewall Manager. For information about Organizations delegated administrators, see Amazon Organizations terminology and concepts in the Amazon Organizations User Guide.

Existing administrators

If you are an existing Firewall Manager customer and have set already set an administrator, then this existing administrator will be the Firewall Manager default administrator. There should be no impacts to your existing flow. If you wish to add more administrators, you can do so by following the procedures in this chapter.