Setting up Amazon Firewall Manager​ DNS Firewall policies - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up Amazon Firewall Manager​ DNS Firewall policies

To use Amazon Firewall Manager to enable Amazon Route 53 Resolver DNS Firewall across your organization, perform the following steps in sequence. For information about Firewall Manager DNS Firewall policies, see Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager.

Step 1: Completing the prerequisites

There are several mandatory steps to prepare your account for Amazon Firewall Manager. Those steps are described in Amazon Firewall Manager prerequisites. Complete all the prerequisites before proceeding to the next step.

Step 2: Creating your DNS Firewall rule groups to use in your policy

To follow this tutorial, you should be familiar with Amazon Route 53 Resolver DNS Firewall and know how to configure its rule groups.

You must have least one rule group in DNS Firewall that will be used in your Amazon Firewall Manager policy. If you haven't already created a rule group in DNS Firewall, do so now. For information about using DNS Firewall, see Amazon Route 53 Resolver DNS Firewall in the Amazon Route 53 Developer Guide.

Step 3: Creating and applying a DNS Firewall policy

After completing the prerequisites, you create an Amazon Firewall Manager DNS Firewall policy. A DNS Firewall policy provides a set of centrally controlled DNS Firewall rule group associations for your entire Amazon organization. It also defines the Amazon Web Services accounts and resources that the firewall applies to.

For more information about how Firewall Manager manages your DNS Firewall rule group associations, see Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager.

To create a Firewall Manager DNS Firewall policy (console)
  1. Sign in to the Amazon Web Services Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2. For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

  2. In the navigation pane, choose Security policies.

  3. If you haven't met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then return to this step, to create a DNS Firewall policy.

  4. Choose Create security policy.

  5. For Policy type, choose Amazon Route 53 Resolver DNS Firewall.

  6. For Region, choose an Amazon Web Services Region.

  7. Choose Next.

  8. For Policy name, enter a descriptive name.

  9. The policy configuration allows you to define the DNS Firewall rule group associations that you want to manage from Firewall Manager. You add the rule groups that you want to use in your policy. You can define an association to evaluate first for your VPCs and one to evaluate last. For this tutorial, add one or two rule group associations, depending on your needs.

  10. Choose Next.

  11. Amazon Web Services accounts affected by this policy allows you to narrow the scope of your policy by specifying accounts to include or exclude. For this tutorial, choose Include all accounts under my organization.

    The Resource type for a DNS Firewall policy is always VPC.

  12. For Resources, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags, see Working with Tag Editor.

    If you enter more than one tag, a resource must have all of the tags to be included or excluded.

    Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value.

  13. Choose Next.

  14. For Policy tags, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see Working with Tag Editor.

  15. Choose Next.

  16. Review the new policy settings and return to any pages where you need to any adjustments.

    Check to be sure that Policy actions is set to Identify resources that don’t comply with the policy rules, but don’t auto remediate. This allows you to review the changes that your policy would make before you enable them.

  17. When you are satisfied with the policy, choose Create policy.

    In the Amazon Firewall Manager policies pane, your policy should be listed. It will probably indicate Pending under the accounts headings and it will indicate the status of the Automatic remediation setting. The creation of a policy can take several minutes. After the Pending status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see Viewing compliance information for an Amazon Firewall Manager policy

  18. When you are finished exploring, if you don't want to keep the policy that you created for this tutorial, choose the policy name, choose Delete, choose Clean up resources created by this policy., and finally choose Delete.

For more information about Firewall Manager DNS Firewall policies, see Using Amazon Route 53 Resolver DNS Firewall policies in Firewall Manager.