The provided source pages do not explicitly mention 'AWS Firewall Manager'. This study guide extracts content related to general firewall concepts and AWS services that perform firewall-like functions, such as EC2 Security Groups, Network Access Control Lists (NACLs), Web Application Firewall (WAF), and Gateway Load Balancer for virtual firewall appliances. It highlights their purpose, configuration, and security implications as described in the source material. Note: This extraction is incomplete regarding AWS Firewall Manager specifically, as it was not found in the source pages.
Firewalls are fundamental to network security, controlling traffic based on defined rules.
Firewalls prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you've defined.
AWS provides several services that offer firewall-like capabilities at different layers of your infrastructure.
These services allow for controlling network traffic and protecting resources.
EC2 Security Groups
Security Groups act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic. They are stateful, meaning if an inbound request is allowed, the corresponding outbound response is automatically permitted. All inbound traffic is blocked by default, while all outbound traffic is allowed by default. They regulate access to ports and authorize IP ranges. A single security group can be associated with multiple EC2 instances and are tied to a specific AWS Region and VPC. Traffic is filtered before reaching the EC2 instance.
default_inbound_behavior:
All inbound traffic is blocked by default
default_outbound_behavior:
All outbound traffic is allowed by default
statefulness:
Stateful (inbound allowed -> outbound response automatically allowed)
rule_components:
Protocol, port range, source/destination (IP addresses, CIDR blocks, or other security groups)
scope:
Instance-level, Regional, VPC-specific
Use Cases:
- Controlling SSH access (port 22)
- Controlling HTTP/HTTPS web traffic (ports 80/443)
- Restricting access to known IP ranges
- Allowing another security group to send inbound data on a specific port
Network Access Control Lists (NACLs)
NACLs are mentioned as a layer for security implementation in the AWS Well-Architected Framework. They are implemented at the subnet level to apply security.
Use Cases:
- Implementing security at all layers, specifically at the subnet level.
Web Application Firewall (WAF)
WAF helps protect your web applications against common web attacks. It specifically protects against common attack patterns such as SQL injection and cross-site scripting attacks. WAF can be deployed on CloudFront as part of a CDN solution to block malicious traffic or protect a web application deployed directly on an EC2 instance.
Use Cases:
- Protecting web applications from cross-site scripting attacks.
- Protecting web applications from SQL injection attacks.
- Blocking malicious traffic as part of a CDN solution with CloudFront.
Gateway Load Balancer (GWLB) for Virtual Firewall Appliances
Gateway Load Balancer (GWLB) is a service designed for integrating third-party virtual firewall appliances. It can be deployed in an inspection VPC. A Gateway Load Balancer endpoint is created in an application VPC to redirect traffic to the appliance in the inspection VPC. GWLB automatically distributes traffic, scales, and maintains flow stickiness, reducing operational overhead.
Use Cases:
- Integrating a third-party virtual firewall appliance with a three-tier web application for traffic inspection before it reaches the web server.
- Transparent redirection of traffic to virtual firewall appliances.
In the AWS Shared Responsibility Model, certain aspects of security, including firewall configuration, fall under the customer's responsibility.
Under the AWS Shared Responsibility Model, customers are responsible for firewall configuration, which falls under 'Security in the Cloud'. This means you are responsible for network traffic protection, including security group firewall configuration.
Glossary
Security Group
Acts as a virtual firewall for EC2 instances, controlling inbound and outbound traffic.
Web Application Firewall (WAF)
A service that helps protect web applications against common web attacks such as SQL injection and cross-site scripting.
Gateway Load Balancer (GWLB)
A load balancer designed for transparently deploying, scaling, and managing virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems.
Network Access Control List (NACL)
A security layer that acts as a firewall for controlling traffic in and out of one or more subnets.