Centrally Audit AWS Security Groups with AWS Firewall Manager

Managing security at scale across multiple AWS accounts can be complex. A key aspect of maintaining a robust security posture is ensuring that Security Groups (SGs) are configured according to your organization’s policies. AWS Firewall Manager provides a solution by enabling centralized management and auditing of security groups across all accounts within an AWS Organization.

What is AWS Firewall Manager?

AWS Firewall Manager is a security management service designed to simplify the configuration and management of firewall rules across accounts and applications within AWS Organizations. It supports various AWS services, including AWS WAF, AWS Shield Advanced, VPCs, security groups, AWS Network Firewall, and others.

A core feature is Security Group policies. These policies empower administrators to audit and enforce security group rules consistently and at scale.

Why Audit Security Groups?

Incorrectly configured security groups can create significant security vulnerabilities. Regular auditing helps to ensure:

• Prevention of Overly Permissive Rules: Eliminates rules that are too broad, such as allowing access from 0.0.0.0/0 (the entire internet) for sensitive ports like SSH (22) or RDP (3389).
• Rule Consistency: Maintains uniform security group configurations across all accounts and Virtual Private Clouds (VPCs).
• Identification and Remediation: Quickly detects and corrects any security groups that deviate from established policies.

This guide focuses on using AWS Firewall Manager to specifically audit security groups within an AWS Organizations setup.

Prerequisites

Before configuring AWS Firewall Manager, ensure the following:

1. AWS Organizations: Your AWS accounts must be part of an AWS Organization.
2. AWS Config Enabled: AWS Config, a service that tracks resource configurations, must be activated in all member accounts. Firewall Manager relies on AWS Config to monitor resources.
3. Firewall Manager Administrator Account: Designate a specific AWS account within your Organization as the Firewall Manager administrator. This account will be responsible for creating and deploying security policies across the organization.
4. IAM Permissions: The administrator account requires appropriate IAM permissions to manage Firewall Manager policies and access AWS Config data.

Step-by-Step Guide to Auditing Security Groups

This guide assumes a pre-existing AWS Organization with a management account and at least one member account. We’ll use “Management Account” and “Member Account” to represent these.

Step 1: Initial Setup and Resource Creation

• Enable Firewall Manager: Log in to the Management Account. Search for “AWS Firewall Manager” in the AWS Management Console. Follow the initial setup process, specifying the Management Account’s ID as the administrator account.
• Enable AWS Config in Member Account: Log in to the Member Account. Navigate to AWS Config. If it’s not already enabled, use the 1-click setup or manually configure it, ensuring that it’s recording resource changes.
• Create Security Groups (Member Account): Within the Member Account, create two security groups:
  • Insecure-SG: This security group will simulate a non-compliant configuration. Create an inbound rule allowing access to port 3306 (MySQL/Aurora) from a public IP address (e.g., 215.165.85.250/32). This represents a security risk.
  • Secure-SG: This security group represents a compliant configuration. Create an inbound rule allowing access to port 3306, but only from a private IP address range (e.g., 10.0.0.0/32).
• Create EC2 Instances(Member Account):
  * Create Two instances, the first instance should be attached to the Insecure-SG,
  * The Second instance should be attaced to the Secure-SG.

• Create Audit Security Group (Management Account): Log in to the Management Account. Create a security group named “Audit-SG.” This group defines the ideal security configuration that Firewall Manager will use as a baseline. Create an inbound rule for port 3306, allowing access only from the entire private IP range (e.g., 10.0.0.0/8). This restricts access to internal resources only.

Step 2: Create a Firewall Manager Security Policy

• Navigate to Firewall Manager: In the Management Account, go to the AWS Firewall Manager console.
• Create Policy: Click “Create policy.”
• Policy Type: Select “Security group” and choose “Auditing and enforcement of security group rules.”
• Policy Details:
  • Provide a policy name (e.g., “DB-Access-SG-Policy”).
  • Add a description.
  • Select “Configure custom policy rules.”
• Custom Rule:
  • Click “Add security groups.”
  • Select the “Audit-SG” you created earlier. This sets the baseline for compliance.
• Policy Scope:
  • Choose “Include all accounts under my organization.”
  • Select “All” for resource types and “Include all resources that match the selected resource type.” This applies the policy broadly.
• Review and Create: Review the policy settings and create it.

Step 3: Testing and Validation

• Check AWS Config (Member Account): Log in to the Member Account. Go to AWS Config. You should see resources marked as “compliant” and “non-compliant.” The “Insecure-SG,” the associated EC2 instance, and its Elastic Network Interface (ENI) should be flagged as non-compliant.
• Check Firewall Manager (Management Account): Log in to the Management Account. Go to the AWS Firewall Manager console and view the security policy you created. It should indicate that the Management Account is compliant and the Member Account is non-compliant, listing the three insecure resources (Insecure-SG, EC2 instance, and ENI). The “validation reason” should explain that these resources violate the audit security group policy.

Remediation

To resolve the non-compliance, you can either:

• Manual Remediation: Log in to the Member Account and modify the “Insecure-SG” to use a private IP address range, aligning it with the “Audit-SG” rules.
• Auto-Remediation (Optional): AWS Firewall Manager can be configured to automatically remediate non-compliant security groups. However, it’s crucial to thoroughly test this in a non-production environment first.

Best Practices

• Start with Audit Mode: Before enabling automatic remediation, begin with audit-only mode to understand the policy’s impact.
• Resource Tagging: Use tags to organize your resources, making it easier to define the scope of your Firewall Manager policies.
• AWS Config Aggregators: Enable AWS Config aggregators for a consolidated view of resource configurations across multiple regions and accounts.
• Integration with AWS Security Hub: Integrate Firewall Manager with AWS Security Hub to centralize and prioritize security findings from various AWS services.

Conclusion

AWS Firewall Manager provides a powerful way to centrally manage and audit security groups across an AWS Organization. By implementing these steps, you can significantly improve your security posture, enforce consistent configurations, and minimize the risk of security group misconfigurations.

Innovative Software Technology: Enhancing Your AWS Security with Firewall Manager Expertise

At Innovative Software Technology, we specialize in helping businesses optimize their cloud security. Our team of AWS-certified experts can assist you in leveraging AWS Firewall Manager to its full potential, ensuring your security groups are consistently configured and compliant with your organization’s security policies. We provide services including: AWS Firewall Manager setup and configuration, Custom security policy creation, Security group audit and remediation, Integration with AWS Security Hub and other security tools, Best practices implementation for AWS security, Multi-account security management, and AWS security optimization. Contact us today to learn how we can help you achieve a robust and secure AWS environment.