View a markdown version of this page

Enabling Amazon Shield network security director - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Enabling Amazon Shield network security director and delegating a service administratorEnabling Amazon Shield network security director for member accounts with delegated administrator
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the console.

Enabling Amazon Shield network security director

Note

Amazon Shield network security director is in public preview release and is subject to change.

Amazon Shield network security director is enabled for Amazon accounts through Amazon Organizations. This section of the documentation describes all the steps required to enable Amazon Shield network security director for an Amazon Organization.

This section includes two steps, both of which are necessary to complete network security director setup:

  1. The Amazon Organization management account enables Amazon Shield network security director, designates a delegated administrator for the organization, and creates the corresponding delegated administrator policy.

  2. The delegated administrator for the organization creates a policy that enables Amazon Shield network security director for user-selected regions and target member accounts in the organization.

Enabling Amazon Shield network security director and delegating a service administrator

When assigning the delegated administrator account for Amazon Shield network security director, Amazon Shield network security director will recommend an existing delegated administrator if one is already configured for another Amazon security service, such as Amazon Security Hub. If no delegated administrator exists, you will be prompted to select a member account from your organization. The organization's management account cannot be designated as the delegated administrator.

To designate an administrator for Amazon Shield network security director

  1. Sign in to your Amazon Account with your Amazon Organization management account credentials and open the Amazon Shield network security director console at https://console.amazonaws.cn/wafv2/network-security-director/.

  2. From the network security director home page, choose Get started.

  3. For Delegated administrator account, choose an administrator account based on the provided options. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.

  4. For Delegated administrator policy, choose one of the following options to add the policy statement:

    1. (Option 1) Choose Update this for me. Select the box under the policy statement to confirm Amazon Shield network security director will automatically create a delegation policy granting all required permissions to the delegated administrator.

    2. (Option 2) Choose I want to attach this manually. Choose Copy and attach. In the Amazon Organizations console, under Delegated administrator for Amazon Organizations, choose Delegate, and paste the resource policy in the delegation policy editor and then Choose Create Policy. Open the tab where you are in the Amazon Shield network security director console.

  5. Choose Complete get started.

At the end of this step the following actions will be complete:

  • Trusted Access enablement for Amazon Shield network security director. This will allow network security director to create service-linked roles within member accounts that are in scope of the policy.

  • Creation of the service-linked role AWSServiceRoleForNetworkSecurityDirector for the organization’s management account.

  • Registration of the delegated administrator for Amazon Shield network security director.

  • Update of the resource policy, allowing the delegated administrator for Amazon Shield network security director to make necessary calls to Amazon Organizations APIs.

Now that the setup is complete, you will be redirected to the Settings page, where you can update or remove the delegated administrator, manage delegation policy, and disable network security director as a service. To access this settings page in the future with the organization's management account, navigate to the network security director console and choose Manage settings.

Enabling Amazon Shield network security director for member accounts with delegated administrator

This step must be completed by the delegated administrator. Once the Amazon Organization's management account designates a delegated administrator, that administrator must create a policy that grants permission to enable regions within the organization. All configured policies are available in the Region and Account Policies section of the Amazon Shield network security director console. The procedure below outlines how to create this policy.

To create and attach a policy that enables regions for targeted accounts

  1. Sign in to your Amazon account with your delegated administrator credentials and open the Amazon Shield network security director console at https://console.amazonaws.cn/wafv2/network-security-director/.

  2. From the Amazon Shield network security director home page, choose Enable.

  3. For Details, enter a name and an optional description for the policy.

  4. For Account selection, select one of the following options. Choose All organizational units and accounts if you want to apply the policy to all organizational units and accounts. Choose Specific organizational units and accounts if you want to apply the policy to specific organizational units and accounts. Use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied.

  5. For Regions, select the regions you want to enable or disable for this policy. Please refer to Performance Considerations before completing your selections.

  6. Review your changes, and then choose Enable network security director.

At the end of this step the following actions will be complete:

  • Creation of the service-linked role AWSServiceRoleForNetworkSecurityDirector for the current delegated administrator account.

  • Creation of the policy that enables Amazon Shield network security director to run scans in the enabled regions and on the attached targets.

  • Redirection to the Summary dashboard, where you can view organization-wide insights as well as resource-level details for each account.

Now that the setup is complete, you will be redirected to the Summary dashboard page, where you can view organization-wide insights as well as resource-level details for each account. To manage the policies in the future with the delegated administrator account, navigate to the network security director console and choose Manage settings.