Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🚀 Extended! 25% OFF All Practice Exams & Video Courses, $2.99 eBooks, Savings on PlayCloud and CodeQuest!

AWS Firewall Manager

Home » AWS Cheat Sheets » AWS Security & Identity Services » AWS Firewall Manager

AWS Firewall Manager

Last updated on November 30, 2025

AWS Firewall Manager Cheat Sheet

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

  • Simplification: You set up your firewall rules just once, and the service automatically applies them across your accounts and resources (even as new resources are created).

  • Scope: It goes beyond just WAF; it manages VPC Security Groups, Network ACLs, AWS Network Firewall, DNS Firewall, and Shield Advanced.

Key Features

1. Centralized Management

  • Integrated with AWS Organizations: Automatically fetches new accounts and resources to apply protection policies immediately upon creation.

  • Multi-Account Resource Groups: Allows you to group resources by Account, Resource Type, or Tag to apply granular policies (e.g., “Apply this WAF rule to all ALBs tagged Stage:Prod“).

2. Supported Policy Types Firewall Manager supports policies for these distinct security services:

  • AWS WAF: Deploy WAF rules (Web ACLs) to Application Load Balancers, API Gateways, and CloudFront distributions.

    • Feature: Supports Retrofitting, allowing you to add central rules to existing Web ACLs without overwriting the local rules created by application teams.

  • AWS Shield Advanced: Automatically enable DDoS protection on ELBs, Elastic IPs, and CloudFront distributions.

    • Tutorials dojo strip

  • Amazon VPC Security Groups:

    • Usage Audit: Detects overly permissive rules (e.g., Port 22 open to 0.0.0.0/0).

    • Content Audit: Enforces a “primary” security group on all instances.

    • Remediation: Can automatically remove non-compliant rules.

  • Amazon VPC Network ACLs: Centrally manage subnet-level Network Access Control Lists.

  • AWS Network Firewall: Centrally deploy Network Firewall endpoints and rule groups into VPCs across your organization to filter Layer 3-7 traffic.

  • Amazon Route 53 Resolver DNS Firewall: Centrally deploy DNS filtering rules to block queries to known malicious domains.

  • Third-Party Firewalls: Centrally deploy and manage firewalls from AWS Marketplace partners like Palo Alto Networks and Fortinet.

3. Hierarchical Enforcement

  • Delegate & Enforce: You can enforce a set of “mandatory” security rules centrally (e.g., “Block traffic from embargoed countries”) while allowing local application teams to add their own app-specific rules.

4. Compliance & Reporting

  • Compliance Dashboard: Provides a visual dashboard to see which accounts/resources are compliant with your policies.

  • SNS Notifications: Sends alerts when non-compliant resources are discovered.

How It Works

  1. Prerequisites: You must use AWS Config and AWS Organizations. You must designate a Delegated Administrator account (best practice: not the root Management Account) to manage security policies.

  2. Policy Creation: You define a “Policy” (e.g., “Apply this WAF Rule Group”).

  3. Scope Definition: You define which Accounts, OUs, or Tags are in scope.

  4. Enforcement: Firewall Manager automatically applies the policy.

    • Auto Remediate: Automatically fixes drift (e.g., re-applies a missing rule).

    • Manual: Simply alerts you to non-compliance.

Common Use Cases

  • Day 1 Protection: Ensure every new VPC created in the organization automatically gets a Network Firewall and DNS filtering rules.

  • DDoS Standardization: Automatically enroll all Production Elastic IPs into Shield Advanced Protection.

  • Audit Compliance: Continually scan all Security Groups to ensure no one has accidentally opened SSH (port 22) to the internet.

AWS Firewall Manager Pricing

Pricing depends on your AWS Shield Advanced subscription status:

1. For Shield Advanced Customers

  • Firewall Manager Policies: Free. (Included at no additional charge).

  • Config Rules: You pay standard AWS Config pricing for the underlying config rules created by the policies.

2. For Standard Customers (No Shield Advanced)

  • Protection Policy Fee: $100.00 per policy, per Region, per month.

  • Resource Fees: You still pay the standard charges for the underlying resources created (e.g., you pay for the WAF Web ACLs, Network Firewall Endpoints, and Config Rules created by the manager).

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path

AWS Firewall Manager Cheat Sheet References:
https://aws.amazon.com/firewall-manager/features/
https://aws.amazon.com/firewall-manager/pricing/
https://aws.amazon.com/firewall-manager/faqs/

🚀 Extended! 25% OFF All Practice Exams & Video Courses, $2.99 eBooks, Savings on PlayCloud and CodeQuest!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

🧑‍💻 50% OFF – CodeQuest Coding Labs

$2.99 AWS and Azure Exam Study Guide eBooks

tutorials dojo study guide eBook

New AWS Generative AI Developer Professional Course AIP-C01

AIP-C01 Exam Guide AIP-C01 examtopics AWS Certified Generative AI Developer Professional Exam Domains AIP-C01

Learn GCP By Doing! Try Our GCP PlayCloud

Learn Azure with our Azure PlayCloud

FREE AI and AWS Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?