Using the Amazon Firewall Manager policy scope - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using the Amazon Firewall Manager policy scope

This page explains what the Firewall Manager policy scope is and how it works.

The policy scope defines where the policy applies. You can either apply centrally controlled policies to all of your accounts and resources within your organization in Amazon Organizations, or to a subset of your accounts and resources. For instructions on how to set policy scope, see Creating an Amazon Firewall Manager policy.

Policy scope options in Amazon Firewall Manager

When you add a new account or resource to your organization, Firewall Manager automatically assesses it against your settings for each policy and applies the policy based on these settings. For example, you can choose to apply a policy to all accounts except the account numbers in a specified list; you can also choose to apply a policy only to resources that have all of the tags in a list.

Amazon Web Services accounts in scope

The settings that you provide to define the Amazon Web Services accounts affected by the policy determine which of the accounts in your Amazon organization to apply the policy to. You can choose to apply the policy in one of the following ways:

  • To all accounts in your organization

  • To only a specific list of included account numbers and Amazon Organizations organizational units (OUs)

  • To all except a specific list of excluded account numbers and Amazon Organizations organizational units (OUs)

For information about Amazon Organizations, see Amazon Organizations User Guide.

Resources in scope

Similarly to the settings for accounts in scope, the settings that you provide for resources determine which in-scope resource types to apply the policy to. You can choose one of the following:

  • All resources

  • Resources that have all of the tags that you specify

  • All resources except those that have all of the tags that you specify

You can only specify resource tags with non-null values. If you don't provide anything for the value, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value.

For more information about tagging your resources, see Working with Tag Editor.

Policy scope management in Amazon Firewall Manager

When policies are in place, Firewall Manager manages them continuously and applies them to new Amazon Web Services accounts and resources as they are added, in accordance with the policy scope.

How Firewall Manager manages Amazon Web Services accounts and resources

If an account or resource goes out of scope for any reason, Amazon Firewall Manager doesn't automatically remove protections or delete Firewall Manager-managed resources unless you select the Automatically remove protections from resources that leave the policy scope check box.

Note

The option Automatically remove protections from resources that leave the policy scope is not available for Amazon Shield Advanced or Amazon WAF Classic policies.

Selecting this check box directs Amazon Firewall Manager to automatically clean up resources that Firewall Manager manages for accounts when those accounts leave the policy scope. For example, Firewall Manager will disassociate a Firewall Manager-managed web ACL from a protected customer resource when the customer resource leaves the policy scope.

To determine which resources should be removed from protection when a customer resource leaves the policy scope, Firewall Manager follows these guidelines:

  • Default behavior:

    • The associated Amazon Config managed rules are deleted. This behavior is independent of the check box.

    • Any associated Amazon WAF web access control lists (web ACLs) that don't contain any resources are deleted. This behavior is independent of the check box.

    • Any protected resource that goes out of scope remains associated and protected. For example, an Application Load Balancer or API from API Gateway that's associated with a web ACL remains associated with the web ACL, and the protection remains in place.

  • With the Automatically remove protections from resources that leave the policy scope check box selected:

    • The associated Amazon Config managed rules are deleted. This behavior is independent of the check box.

    • Any associated Amazon WAF web access control lists (web ACLs) that don't contain any resources are deleted. This behavior is independent of the check box.

    • Any protected resource that goes out of scope is automatically disassociated and removed from Firewall Manager protection when it leaves the policy scope. For example, for a security group policy, an Elastic Inference accelerator or Amazon EC2 instance is automatically disassociated from the replicated security group when it leaves the policy scope. The replicated security group and its resources are automatically removed from protection.