Creating a Firewall Manager administrator account - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a Firewall Manager administrator account

The following procedure describes how to create a Firewall Manager administrator accounts using the Firewall Manager console.

To create a Firewall Manager administrator account
  1. Sign in to the Firewall Manager Amazon Web Services Management Console using an existing Amazon Organizations management account.

  2. Open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2.

  3. In the navigation pane, choose Settings.

  4. Choose Create administrator account.

  5. In the Details pane, for Amazon account ID type the Amazon ID of a member account that you'd like to add as a Firewall Manager administrator.

  6. For Administrative scope, choose one of the following options:

    • Full – This grants the administrator the ability to apply policies to all accounts and organizational units (OUs) within the organization, take actions in all Regions, and apply all Firewall Manager policy types, except for third-party firewalls. Only the default administrator can create and manage third-party firewalls. Take caution if granting this level of permissions to the administrator. In the spirit of least privilege, we recommend only granting the administrator the permissions they need to perform the duties of their role.

    • Restricted – If applying a Restricted scope, then in Configure administrative scope configure the accounts and organizational units, Regions, and policy types that the account can manage.

      For Accounts and organizational units, choose the options as follows:

      • If you want to apply policies to all accounts or organizational units in your organization, choose Include all accounts under my Amazon organization.

      • If you want to apply policies only to specific accounts or accounts that are in specific Amazon Organizations organizational units (OUs), choose Include only the specified accounts and organizational units, and then add the accounts and OUs that you want to include. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

      • If you want to apply policies to all but a specific set of accounts or Amazon Organizations organizational units (OUs), choose Exclude the specified accounts and organizational units, and include all others, and then add the accounts and OUs that you want to exclude. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

      For Regions, choose the options as follows:

      • If you want to allow the administrator to perform actions in all available Regions, choose Include all Regions.

      • If you want the administrator to perform actions only in specific Regions, choose Include only the specified Regions, and then specify the Regions that you want to include.

        Note

        To include a Region that is disabled by default, you must enable the Region for both the Amazon Organizations organization management account and the default administration account. For information about enabling Regions for an account, see Enable a Region in the Amazon Web Services General Reference.

      For Policy types, choose the options as follows:.

      • If you want to allow the administrator to manage all policy types, choose Include all policy types.

      • If you want the administrator to manage only specific policy types, choose Include only the specified policy types, and then specify the policy types that you want to include.

  7. Choose Create administrator account to create the administrator account. Upon creation, Firewall Manager calls Amazon Organizations to see if the administrator is already a delegated administrator for your organization. If not, Firewall Manager will designate the account as a delegated administrator. For information about delegated administrators in Organizations see Amazon Organizations terminology and concepts in the Amazon Organizations User Guide.

If you apply Restricted administrative scope, Firewall Manager automatically evaluates any new resources against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically includes the account within the administrative scope.