Working with Amazon Firewall Manager policies - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
General settings
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Amazon Firewall Manager policies

Amazon Firewall Manager provides the following types of policies. For each policy type, you define the :

  • Amazon WAF policy – Firewall Manager supports Amazon WAF and Amazon WAF Classic policies. For both versions, you define which resources are protected by the policy.

    • The Amazon WAF policy type takes sets of rule groups to run first and last in the web ACL. Then, in the accounts where you apply the web ACL, the account owner can add rules and rule groups to run in between the two sets.

    • The Amazon WAF Classic policy type takes a single rule group to run in the web ACL.

  • Shield Advanced policy – This policy type applies Shield Advanced protections throughout your organization for the resource types that you specify.

  • Amazon VPC security group policy – This policy type gives you control over security groups that are in use throughout your organization and lets you enforce a baseline set of rules across your organization.

  • Amazon VPC network access control list (ACL) policy – This policy type gives you control over network ACLs that are in use throughout your organization and lets you enforce a baseline set of network ACLs across your organization.

  • Network Firewall policy – This policy type applies Amazon Network Firewall protection to your organization's VPCs.

  • Amazon Route 53 Resolver DNS Firewall policy – This policy applies DNS Firewall protections to your organization's VPCs.

  • Third-party firewall policy – This policy type applies third-party firewall protections. Third-party firewalls are available by subscription through the Amazon Marketplace console at Amazon Marketplace.

    • Palo Alto Networks Cloud NGFW policy – This policy type applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs.

    • Fortigate Cloud Native Firewall (CNF) as a Service policy – This policy type applies Fortigate Cloud Native Firewall (CNF) as a Service protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection.

A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type.

If you add a new account to an organization that you created with Amazon Organizations, Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy.

General settings for Amazon Firewall Manager policies

Amazon Firewall Manager managed policies have some common settings and behaviors. For all, you specify a name and define the scope of the policy, and you can use resource tagging to control policy scope. You can choose to view the accounts and resources that are out of compliance without taking corrective action or to automatically remediate noncompliant resources.

For information about policy scope, see Amazon Firewall Manager policy scope.