AWS Firewall Manager Policies Are Compliant
Overview
This check verifies that all AWS Firewall Manager (FMS) policies in your administrator account are compliant across all member accounts in your organization. Firewall Manager lets you centrally manage security policies for WAF rules, Shield Advanced protections, security groups, and network firewalls across multiple accounts.
Risk
When Firewall Manager policies are noncompliant or missing:
- Security gaps: Resources may lack required firewall rules, WAF protections, or security group controls
- DDoS exposure: Without Shield Advanced policies, your applications are vulnerable to distributed denial-of-service attacks
- Unauthorized access: Missing security group policies can leave ports open to the internet
- Data exfiltration: Improperly configured network firewalls may allow sensitive data to leave your network
- Compliance violations: Inconsistent security controls across accounts can lead to audit failures
Remediation Steps
Prerequisites
- Access to the Firewall Manager administrator account (this is a delegated admin account in AWS Organizations)
- IAM permissions for Firewall Manager (
fms:*actions) - AWS Config must be enabled in all accounts and regions covered by the policies
AWS Console Method
-
Sign in to the AWS Console using your Firewall Manager administrator account
-
Navigate to Firewall Manager:
- Go to Services > Security, Identity, & Compliance > Firewall Manager
- Or search for "Firewall Manager" in the search bar
-
Review existing policies:
- Click Security policies in the left navigation
- Look for policies with a Noncompliant status
-
For noncompliant policies, click the policy name to view details:
- Check Policy details > Accounts to see which accounts are noncompliant
- Review Noncompliant resources to understand what needs fixing
-
Fix noncompliant policies:
- Click Edit on the policy
- Under Policy action, enable Auto remediate any noncompliant resources
- Ensure Policy scope includes all intended accounts (select "Include all accounts under my AWS organization")
- Click Save
-
If no policies exist, create one:
- Click Create policy
- Select the policy type (WAF, Shield Advanced, Security group, Network Firewall, etc.)
- Configure the policy rules for your security requirements
- Set scope to All accounts in my organization
- Enable Auto remediate
- Click Create policy
-
Verify compliance:
- Wait a few minutes for Firewall Manager to evaluate resources
- Return to Security policies and confirm all policies show Compliant status
AWS CLI (optional)
List all Firewall Manager policies:
aws fms list-policies --region us-east-1
Check compliance status for a specific policy:
aws fms list-compliance-status \
--policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--region us-east-1
Get detailed compliance information for a specific account:
aws fms get-compliance-detail \
--policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--member-account 123456789012 \
--region us-east-1
Create or update a policy with auto-remediation enabled:
First, create a policy JSON file (policy.json):
{
"Policy": {
"PolicyName": "SecurityGroupBaselinePolicy",
"SecurityServicePolicyData": {
"Type": "SECURITY_GROUPS_COMMON",
"ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":true,\"exclusiveResourceSecurityGroupManagement\":false}"
},
"ResourceType": "AWS::EC2::SecurityGroup",
"ResourceTags": [],
"ExcludeResourceTags": false,
"RemediationEnabled": true,
"IncludeMap": {
"ACCOUNT": ["*"]
}
}
}
Then apply the policy:
aws fms put-policy \
--cli-input-json file://policy.json \
--region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Firewall Manager Security Group Policy
Resources:
FMSSecurityGroupPolicy:
Type: AWS::FMS::Policy
Properties:
PolicyName: SecurityGroupBaselinePolicy
RemediationEnabled: true
ResourceType: AWS::EC2::SecurityGroup
ExcludeResourceTags: false
SecurityServicePolicyData:
Type: SECURITY_GROUPS_COMMON
ManagedServiceData: |
{
"type": "SECURITY_GROUPS_COMMON",
"revertManualSecurityGroupChanges": true,
"exclusiveResourceSecurityGroupManagement": false,
"securityGroups": [
{
"id": "sg-xxxxxxxxxxxxxxxxx"
}
]
}
IncludeMap:
ACCOUNT:
- !Ref AWS::AccountId
ExcludeMap:
ACCOUNT: []
Outputs:
PolicyId:
Description: The ID of the Firewall Manager policy
Value: !Ref FMSSecurityGroupPolicy
PolicyArn:
Description: The ARN of the Firewall Manager policy
Value: !GetAtt FMSSecurityGroupPolicy.Arn
Deploy the template:
aws cloudformation deploy \
--template-file fms-policy.yaml \
--stack-name fms-security-group-policy \
--region us-east-1
Note: Replace sg-xxxxxxxxxxxxxxxxx with your baseline security group ID. This template must be deployed from the Firewall Manager administrator account.
Terraform (optional)
# Configure the AWS Provider
provider "aws" {
region = "us-east-1"
}
# Firewall Manager Security Group Policy
resource "aws_fms_policy" "security_group_policy" {
name = "SecurityGroupBaselinePolicy"
remediation_enabled = true
resource_type = "AWS::EC2::SecurityGroup"
exclude_resource_tags = false
security_service_policy_data {
type = "SECURITY_GROUPS_COMMON"
managed_service_data = jsonencode({
type = "SECURITY_GROUPS_COMMON"
revertManualSecurityGroupChanges = true
exclusiveResourceSecurityGroupManagement = false
securityGroups = [
{
id = var.baseline_security_group_id
}
]
})
}
include_map {
account = ["*"]
}
}
variable "baseline_security_group_id" {
description = "The ID of the baseline security group to apply"
type = string
}
output "policy_id" {
description = "The ID of the Firewall Manager policy"
value = aws_fms_policy.security_group_policy.id
}
output "policy_arn" {
description = "The ARN of the Firewall Manager policy"
value = aws_fms_policy.security_group_policy.arn
}
Deploy with Terraform:
terraform init
terraform plan -var="baseline_security_group_id=sg-xxxxxxxxxxxxxxxxx"
terraform apply -var="baseline_security_group_id=sg-xxxxxxxxxxxxxxxxx"
Note: This must be run from the Firewall Manager administrator account.
Verification
After remediation, verify compliance:
- Go to Firewall Manager > Security policies in the AWS Console
- Confirm all policies show a Compliant status
- Click into each policy to verify all member accounts are compliant
CLI verification commands
# List all policies and their status
aws fms list-policies --region us-east-1
# Check compliance for a specific policy
aws fms list-compliance-status \
--policy-id <your-policy-id> \
--region us-east-1 \
--query 'PolicyComplianceStatusList[*].{Account:MemberAccount,Status:EvaluationResults[0].ComplianceStatus}'
Expected output for a compliant policy:
[
{
"Account": "123456789012",
"Status": "COMPLIANT"
},
{
"Account": "234567890123",
"Status": "COMPLIANT"
}
]
Additional Resources
- What is AWS Firewall Manager?
- Getting Started with AWS Firewall Manager
- AWS Firewall Manager Policy Types
- Firewall Manager Prerequisites
- AWS Config Required for Firewall Manager
Notes
- Administrator account required: Firewall Manager policies can only be created and managed from the designated FMS administrator account in AWS Organizations
- AWS Config dependency: AWS Config must be enabled in all accounts and regions for Firewall Manager to evaluate compliance. If compliance status shows issues, verify AWS Config is properly configured
- Propagation time: After creating or modifying a policy, it may take several minutes for Firewall Manager to evaluate all resources across accounts
- Cost considerations: Some Firewall Manager policy types (like Shield Advanced) incur additional costs. Review pricing before enabling
- Auto-remediation impact: Enabling auto-remediation will automatically modify resources to comply with your policies. Test policies in a limited scope first before applying organization-wide