Sharing firewall policies and rule groups - Amazon Network Firewall
Prerequisites for sharing firewall policies and rule groupsRelated servicesSharing across Availability ZonesSharing a firewall policy or rule groupUnsharing a shared firewall policy or rule group
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing firewall policies and rule groups

The owner of a firewall policy or rule group can share a resource with:

  • Specific Amazon Web Services accounts inside or outside of its organization in Amazon Organizations

  • An organizational unit inside its organization in Amazon Organizations

  • Its entire organization in Amazon Organizations

Warning

You can't share a firewall policy that's configured to use a TLS inspection configuration.

The owner of a rule group can share a rule group that refers to a resource group, but can't share the resource group itself.

Prerequisites for sharing firewall policies and rule groups

  • To share a firewall policy or rule group, you must own it in your Amazon Web Services account. You cannot share a firewall policy or rule group that has been shared with you.

  • To share a firewall policy or rule group with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see Enable Sharing with Amazon Organizations in the Amazon RAM User Guide.

Firewall policy and rule group sharing integrates with Amazon Resource Access Manager (Amazon RAM). Amazon RAM is a service that enables you to share your Amazon resources with any Amazon Web Services account or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can be individual Amazon Web Services accounts, organizational units, or an entire organization in Amazon Organizations.

For more information about Amazon RAM, see the Amazon RAM User Guide.

Sharing across Availability Zones

To ensure that resources are distributed across the Availability Zones for a Region, we independently map Availability Zones to names for each account. This could lead to Availability Zone naming differences across accounts. For example, the Availability Zone us-east-1a for your Amazon Web Services account might not have the same location as us-east-1a for another Amazon Web Services account.

To identify the location of your firewall policy or rule group relative to your accounts, you must use the Availability Zone ID (AZ ID). The AZ ID is a unique and consistent identifier for an Availability Zone across all Amazon Web Services accounts. For example, use1-az1 is an AZ ID for the us-east-1 Region and it is the same location in every Amazon Web Services account.

To view the AZ IDs for the Availability Zones in your account

  1. Open the Amazon RAM console at https://console.amazonaws.cn/ram.

  2. The AZ IDs for the current Region are displayed in the Your AZ ID panel on the right-hand side of the screen.

Sharing a firewall policy or rule group

To share a firewall policy or rule group, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon Web Services accounts. A resource share specifies the resources to share, and the consumers with whom they are shared. When you share a firewall policy or rule group using Amazon Network Firewall, you add it to an existing resource share. To add the firewall policy or rule group to a new resource share, you must first create the resource share using the Amazon RAM console.

If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared firewall policies and rule groups. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared firewall policies and rule groups after accepting the invitation.

You can share a firewall policy or rule group that you own using the Amazon RAM console, the Amazon Network Firewall API, or the Amazon CLI.

To share a firewall policy or rule group that you own using the Amazon RAM console

See Creating a Resource Share in the Amazon RAM User Guide.

To share a firewall policy or rule group that you own using the Amazon CLI

Use the create-resource-share command.

To share a firewall policy or rule group that you own using the Network Firewall API

Use the PutResourcePolicy action. For information about how to use this, see PutResourcePolicy in the Amazon Network Firewall API Reference.

Unsharing a shared firewall policy or rule group

To unshare a shared firewall policy or rule group that you own, you must remove it from the resource share. You can do this using the Amazon RAM console or the Amazon CLI.

To unshare a shared firewall policy or rule group that you own using the Amazon RAM console

See Updating a Resource Share in the Amazon RAM User Guide.

To unshare a shared firewall policy or rule group that you own using the Amazon CLI

Use the disassociate-resource-share command.