AWS Network Firewall using AWS Firewall Manager with Terraform | Part 2

This article is based on our experience with dozens of AWS customers projects at https://www.binbash.com.ar, specifically on Binbash Leverage Reference Architecture for AWS Network Firewall feature, the original inspiration article has been written by Luis Gallardo (Cloud Solutions Architect at Binbash)

Following on AWS Network Firewall using AWS Firewall Manager with Terraform | Part 1

AWS Network Firewall using AWS Firewall Manager with Terraform | Part 1

AWS Firewall Manager

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your AWS accounts and applications. It makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules.

By using AWS Firewall Manager you will have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account of your AWS Organization.

Figure: AWS Firewall Manager in Leverage Reference Architecture (Source: AWS Security & Compliance Services)

Some of the benefits of AWS Firewall Manager are:

• Simplify management of firewall rules across your accounts: you can delegate the creation of application-specific rules within an account while retaining the ability to enforce global security policies across accounts.
• Easily deploy managed rules across accounts: You can choose a Managed Rule from an AWS Marketplace Seller and deploy it consistently across your ALBs, API Gateways, and CloudFront infrastructure. You can use Firewall Manager to deploy AWS Web Application Firewall (WAF) rules to attach them to your ALBs, API Gateway, and CloudFront distributions to block traffic across your Organization accounts. As new resources are created, they will automatically be brought under the policy scope.
• Centrally deploy protections for your VPCs: Your security team or administrator can deploy baseline set of VPC security group rules for EC2 instances, ALBs and ENIs in your VPCs. At the same time, you can also audit any existing security groups in your VPCs for over permissive rules and remediate them from a single place. You can leverage Firewall Manager to deploy rules for AWS Network Firewall across your VPCs in your organization, to control traffic leaving and entering your network. At the same time, with Firewall Manager, you can also associate your VPCs with Route 53 Resolver DNS Firewall rules to block DNS queries made for known malicious domains and to allow queries for trusted domains.

Deploying AWS Network Firewall using AWS Firewall Manager with Terraform

We can use Firewall Manager to deploy Network Firewall resources into a centralized Network account to inspect inbound and outbound traffic of your organization as proposed by Binbash Leverage Reference Architecture:

Figure: Binbash Leverage Reference Architecture accounts (Source: “Dedicated Network NAT-GW + Network Firewall Account)

Binbash Leverage Architecture uses a multi-accounts approach in order to improve security isolation and resources separation. With that in mind there are Apps (workloads) accounts for deploying applications in dev, qa, stage and production environments, a Shared account for common services and resources, the Network account for centralizing networking resources and inbound and outbound traffic, and a Security account where organization policies are centralized and enforced using resources and services like AWS Firewall Manager service.

Deploying AWS Firewall manager using Terraform

In order to deploy your Network Firewall endpoints, stateless and stateful rules through the Firewall Manager using Terraform you will first need to deploy the Network Firewall rules in the Security account. This is needed because we will be using another module for the Firewall Manager’s resources called terraform-aws-firewall-manager, which takes the stateless and stateful rules arns as parameters (2):

Figure: terraform-aws-firewall-manager module usage

The Network Firewall rules deployed in the Security account will be used as a template for the rest of the accounts. In the above code the only account where the Network Firewall resources are deployed is the Network account (1), as proposed in the Binbash Leverage Reference Architecture.

⚠️ 📈 💵 CONSIDERATION: When Deploying Network Firewall in a multi-account environment

When deploying in a multi-account organization you have to be careful with the resources the Firewall Manager policies propagates.

In our case when developing the Firewall Manager layer we created a Firewall Manager policy from the AWS Console in the Security account without limiting the accounts and we ended up deploying 4 Network Firewall with 3 endpoints in each account, that weren’t destroyed when removing the Firewall Manager policy. This led to an extra USD 3.6K spent in our monthly bill.

To prevent this to happen again, in the Terraform module code we set the delete_all_policy_resources value to true (1), this way when deleting the Firewall Manager policy in the Security account it will delete the Network Firewall resources in the Network account (or any other account set in the include_account_ids parameter). We also set only the Network account by defining it in the include_account_ids (2) module input as shown as follows:

Figure: Network Firewall policies

The above is the equivalent to delete the Firewall Manager policy from the AWS console and choosing the Delete all policy resources as show here:

Figure: Deleting AWS Firewall Manager policy for Network Firewall

Another option to prevent this issue to happen is by setting and monitoring the AWS Cost Explorer Budget and Billing Alarms for Firewall Manager. This is also valid for any other AWS service than can impact costs considerably.

To accomplish this you can use the following terraform modules developed by Binbash:

• terraform-cost-billing-alarm
• terraform-cost-budget

Figure: Early alarm where the miss configuration incident could be detected and avoided

Figure: Forecasted amount in AWS Budgets

Conclusion

We were able to deploy a Network Firewall, a policy and stateless and stateful rules into an account. We were also able to deploy Firewall manager policies to provision Network Firewall resources in a centralized Network account in our Organization using Terraform, and also suggested best practices to deploy Firewall Manager and Network Firewall resources to prevent unexpected charges due to unwanted resources in the rest of the Organization’s accounts.

References

• AWS Network Firewall developer guide
• AWS Firewall Manager developer guide
• Deployment models for AWS Network Firewall
• Leverage Reference Architecture
• Leverage Reference Architecture / Dedicated Network NAT-GW + Network Firewall Account
• Leverage Reference Architecture / Security layer
• Binbash’s terraform-cost-budget module
• Binbash’s terraform-cost-billing-alarm module
• Binbash’s terraform-aws-network-firewall module