Amazon managed policies for Amazon Firewall Manager
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Amazon managed policy: AWSFMAdminFullAccess
Use the AWSFMAdminFullAccess
Amazon managed policy to allow your administrators to access Amazon Firewall Manager resources, including all Firewall Manager policy types. This policy doesn't include permissions for setting up Amazon Simple Notification Service notifications in Amazon Firewall Manager. For information about how to setting up access for Amazon Simple Notification Service, see Setting up access for Amazon Simple Notification Service.
For the policy listing and details, see the IAM console at AWSFMAdminFullAccess
Permission statements
This policy is grouped into statements based on the set of permissions.
Amazon Firewall Manager policy resources - Allows full administrative permissions to resources in Amazon Firewall Manager, including all Firewall Manager policy types.
Write Amazon WAF logs to Amazon Simple Storage Service - Allows Firewall Manager to write and read Amazon WAF logs in Amazon S3.
Create service-linked role – Allows the administrator to create a service-linked role, which allows Firewall Manager to access resources in other services on your behalf. This permission allows creating the service-linked role only for use by Firewall Manager. For information about how Firewall Manager uses service-linked roles, see Using service-linked roles for Firewall Manager.
Amazon Organizations – Allows administrators to use Firewall Manager for an organization in Amazon Organizations. After enabling trusted access for Firewall Manager in Amazon Organizations, members of the admin account can view findings across their organization. For information about using Amazon Organizations with Amazon Firewall Manager, see Using Amazon Organizations with other Amazon services in the Amazon Organizations User Guide.
Permission categories
The following lists the types of permissions in the policy and the permissions that they provide.
-
fms
– Work with Amazon Firewall Manager resources. -
waf
andwaf-regional
– Work with Amazon WAF Classic policies. -
elasticloadbalancing
– Associate Amazon WAF web ACLsto Elastic Load Balancers. -
firehose
– View information about Amazon WAF logs. -
organizations
– Work with Amazon Organizations resources. -
shield
– View the subscription state of Amazon Shield policies. -
route53resolver
– Work with Route 53 Private DNS for VPCs rule groups in an Route 53 Private DNS for VPCs policy. -
wafv2
– Work with Amazon WAFV2 policies. -
network-firewall
– Work with Amazon Network Firewall policies. -
ec2
– View policy Availability Zones and Regions. -
s3
– View information about Amazon WAF logs.
Amazon managed policy: FMSServiceRolePolicy
This policy allows Amazon Firewall Manager to manage Amazon resources on your behalf in
Firewall Manager and in integrated services. This policy is attached to the service-linked role
AWSServiceRoleForFMS
. For more information about the service-linked role, see
Using service-linked roles for Firewall Manager.
For policy details, see the IAM console at FMSServiceRolePolicy
Amazon managed policy: AWSFMAdminReadOnlyAccess
Grants read-only access to all Amazon Firewall Manager resources.
For the policy listing and details, see the IAM console at AWSFMAdminReadOnlyAccess
Permission categories
The following lists the types of permissions in the policy and the information that the permissions allow read only access to.
-
fms
– Amazon Firewall Manager resources. -
waf
andwaf-regional
– Amazon WAF Classic policies. -
firehose
– Amazon WAF logs. -
organizations
– Amazon Organizations resources. -
shield
– Amazon Shield policies. -
route53resolver
– Route 53 Private DNS for VPCs rule groups in an Route 53 Private DNS for VPCs policy. -
wafv2
– Your Amazon WAFV2 rule groups and Amazon Managed Rules rule groups that are available in Amazon WAFV2. -
network-firewall
– Amazon Network Firewall rule groups and rule group metadata. -
ec2
– Amazon Network Firewall policy Availability Zones and Regions . -
s3
– Amazon WAF logs.
Amazon managed policy: AWSFMMemberReadOnlyAccess
Grants read-only access to Amazon Firewall Manager member resources. For the policy listing and details, see the IAM console at AWSFMMemberReadOnlyAccess
Firewall Manager updates to Amazon managed policies
View details about updates to Amazon managed policies for Firewall Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Firewall Manager document history page at Document history.
Change | Description | Date |
---|---|---|
FMSServiceRolePolicy – Updated policy |
Added permissions to the Firewall Manager service role policy. Added the ability to read Network Firewall TLS configuration information. See the updated policy in the IAM console: FMSServiceRolePolicy |
2024-07-22 |
FMSServiceRolePolicy – Updated policy |
Added permissions for managing network ACLs. See the updated policy in the IAM console: FMSServiceRolePolicy |
2024-04-22 |
FMSServiceRolePolicy – Updated policy |
Added permissions that allow Firewall Manager to describe whether the specified Amazon Config rules are compliant. See the updated policy in the IAM console: FMSServiceRolePolicy |
2023-04-21 |
FMSServiceRolePolicy – Updated policy |
Added permissions that allow Firewall Manager to describe Amazon EC2 instance and network interface attributes. See the updated policy in the IAM console: FMSServiceRolePolicy |
2022-11-15 |
AWSFMAdminReadOnlyAccess – Updated policy |
Added permissions to support Amazon WAFV2, Shield, Network Firewall, DNS Firewall, Amazon VPC security group, policies. See the updated policy in the IAM console: AWSFMAdminReadOnlyAccess |
2022-11-02 |
AWSFMAdminFullAccess – Updated policy |
Added permissions to support Amazon WAFV2, Shield, Network Firewall, DNS Firewall, Amazon VPC security group, policies. Removed Amazon SNS permissions. See the updated policy in the IAM console: AWSFMAdminFullAccess |
2022-10-21 |
|
This change allows Firewall Manager to create and delete the Amazon EC2 VPC endpoints associated with a third-party firewall policy. |
2022-03-30 |
|
Added new permissions to support deployment of firewalls for Network Firewall policies. The new permissions allow the retrieval of information about Availability Zones for accounts that are in scope of a policy. |
2022-02-16 |
|
Added new permissions to retrieve tags for Amazon WAF regional and Amazon WAF global resources. Added Amazon WAF regional permissions to retrieve web ACLs using a resource ARN. Added permissions to support Shield automatic application layer DDoS mitigation. |
2022-01-07 |
|
Added new permission to retrieve tags for Elastic Load Balancing resources. |
2021-11-18 |
|
Added new permissions to enable centralized logging for Amazon Network Firewall policies. Additionally, read-only Amazon EC2 permissions were added to support changes to the Config service that impact how Amazon Firewall Manager queries resources for security group policies. |
2021-09-29 |
|
Updated the |
2021-08-12 |
|
Amazon Firewall Manager has enabled |
2021-08-12 |
|
Added new permissions to allow Amazon Firewall Manager to manage Amazon Route 53 Resolver DNS Firewall. This change allows Firewall Manager to configure Amazon Route 53 Resolver DNS Firewall associations. This permits you to use Firewall Manager to provide DNS Firewall protections for your VPCs throughout your organization in Amazon Organizations. |
2021-03-17 |
Firewall Manager started tracking changes |
Firewall Manager started tracking changes for its Amazon managed policies. |
2021-03-02 |