-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirewallmanager.html
More file actions
461 lines (437 loc) · 24.2 KB
/
firewallmanager.html
File metadata and controls
461 lines (437 loc) · 24.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AWS Firewall Manager Security | AWS Security Cards</title>
<meta name="description" content="AWS Firewall Manager is a centralized security management service for deploying firewall rules and protections across multiple accounts in an AWS Organization.">
<style>
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
background: #0a0e1a;
color: #e2e8f0;
line-height: 1.6;
padding: 2rem;
max-width: 1200px;
margin: 0 auto;
}
a { color: #22d3ee; text-decoration: none; }
a:hover { text-decoration: underline; }
/* Card Image */
.card-image {
border-radius: 1rem;
overflow: hidden;
margin-bottom: 2rem;
border: 1px solid rgba(255,255,255,0.1);
}
.card-image img {
width: 100%;
height: auto;
display: block;
}
/* Header */
.header {
position: relative;
overflow: hidden;
border-radius: 1rem;
background: linear-gradient(135deg, #06b6d415, #0a0e1a, #0ea5e915);
border: 1px solid #06b6d44d;
padding: 2.5rem;
margin-bottom: 2rem;
}
.header::before {
content: '';
position: absolute;
top: 0; right: 0;
width: 24rem; height: 24rem;
background: #06b6d40d;
border-radius: 50%;
filter: blur(3rem);
}
.header-content { position: relative; display: flex; align-items: flex-start; gap: 1.5rem; }
.header-icon { width: 64px; height: 64px; flex-shrink: 0; }
.header-icon img { width: 100%; height: 100%; }
.header-title { font-size: 1.875rem; font-weight: 700; color: #fff; }
.header-badge {
display: inline-block;
padding: 0.25rem 0.75rem;
background: #06b6d433;
color: #06b6d4;
font-size: 0.8rem;
font-weight: 600;
border-radius: 999px;
border: 1px solid #06b6d44d;
margin-left: 0.75rem;
vertical-align: middle;
}
.header-desc { color: #94a3b8; max-width: 42rem; margin-top: 0.5rem; }
/* Stats */
.stats-row { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
.stat-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
text-align: center;
}
.stat-value { font-size: 1.5rem; font-weight: 700; }
.stat-label { font-size: 0.8rem; color: #94a3b8; }
/* Sections */
.section {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1.5rem;
margin-bottom: 1.5rem;
}
.section h2 {
font-size: 1.25rem;
font-weight: 700;
color: #fff;
margin-bottom: 1rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
/* Overview */
.overview-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.overview-grid h4 { font-size: 0.9rem; font-weight: 600; margin-bottom: 0.5rem; }
.overview-grid p { font-size: 0.875rem; color: #94a3b8; margin-bottom: 0.75rem; }
.attack-note {
background: rgba(0,0,0,0.3);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 0.75rem;
font-size: 0.875rem;
color: #cbd5e1;
}
/* Risk Gauge */
.risk-gauge { display: flex; align-items: center; gap: 2rem; }
.risk-bar-container { flex: 1; }
.risk-bar {
height: 1rem;
background: #0f172a;
border-radius: 999px;
overflow: hidden;
}
.risk-bar-fill {
height: 100%;
border-radius: 999px;
background: linear-gradient(90deg, #eab308, #f97316, #ef4444);
}
.risk-labels { display: flex; justify-content: space-between; font-size: 0.8rem; color: #94a3b8; margin-top: 0.5rem; }
.risk-score { text-align: center; }
.risk-score-value { font-size: 2.5rem; font-weight: 700; color: #f87171; }
.risk-score-label { font-size: 0.8rem; color: #94a3b8; }
.risk-desc { margin-top: 1rem; font-size: 0.875rem; color: #94a3b8; }
/* Panels Grid */
.panels-grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1.5rem; margin-bottom: 1.5rem; }
@media (max-width: 1024px) { .panels-grid { grid-template-columns: repeat(2, 1fr); } }
@media (max-width: 640px) { .panels-grid, .stats-row, .overview-grid { grid-template-columns: 1fr; } }
.panel {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid;
padding: 1.5rem;
}
.panel h3 { font-size: 1.1rem; font-weight: 700; margin-bottom: 1rem; display: flex; align-items: center; gap: 0.5rem; }
.panel h4 { font-size: 0.85rem; font-weight: 600; margin-bottom: 0.5rem; margin-top: 1rem; }
.panel ul { list-style: none; padding: 0; }
.panel li {
font-size: 0.85rem;
color: #cbd5e1;
padding: 0.15rem 0;
display: flex;
align-items: flex-start;
gap: 0.5rem;
}
.bullet { margin-top: 0.15rem; }
.note {
margin-top: 1rem;
padding: 0.75rem;
border-radius: 0.5rem;
font-size: 0.85rem;
}
/* Commands */
.cmd-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.cmd-block { margin-top: 0.75rem; }
.cmd-title { font-size: 0.8rem; color: #94a3b8; margin-bottom: 0.25rem; }
pre {
background: rgba(0,0,0,0.5);
border-radius: 0.5rem;
padding: 0.75rem;
font-size: 0.8rem;
color: #4ade80;
overflow-x: auto;
border: 1px solid rgba(255,255,255,0.06);
white-space: pre-wrap;
word-break: break-all;
font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
}
/* Policies */
.policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.policy-card {
border-radius: 0.5rem;
border: 1px solid;
padding: 1rem;
}
.policy-header { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.75rem; font-size: 0.9rem; }
.policy-card pre { margin-bottom: 0.75rem; color: #cbd5e1; }
.policy-desc { font-size: 0.8rem; color: #94a3b8; }
/* Defenses */
.defense-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.defense-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
}
.defense-card:hover { border-color: #22d3ee4d; }
.defense-header { display: flex; align-items: flex-start; gap: 0.75rem; }
.defense-icon { font-size: 1.5rem; }
.defense-card h4 { font-size: 0.9rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
.defense-card p { font-size: 0.85rem; color: #94a3b8; margin-bottom: 0.5rem; }
.defense-card pre { color: #22d3ee; }
/* Footer */
.footer { text-align: center; padding: 1.5rem 0; font-size: 0.8rem; color: #64748b; }
.footer a { color: #22d3ee; }
/* Prevent ugly page-break splits */
.card-image,
.header,
.stat-card,
.stats-row,
.section,
.panel,
.cmd-block,
.policy-card,
.defense-card,
.attack-note,
.overview-grid > div,
.risk-gauge,
.note {
break-inside: avoid;
page-break-inside: avoid;
}
.section,
.panels-grid,
.card-image,
.header {
break-before: auto;
page-break-before: auto;
}
/* Keep headings with their content */
h2, h3, h4 {
break-after: avoid;
page-break-after: avoid;
}
@media print {
body { background: #0a0e1a; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.panels-grid { grid-template-columns: repeat(2, 1fr); }
.cmd-grid { grid-template-columns: 1fr; }
.policy-grid { grid-template-columns: 1fr; }
.defense-grid { grid-template-columns: 1fr; }
}
</style>
</head>
<body>
<!-- Card Image -->
<div class="card-image">
<img src="../images/firewallmanager-card.webp" alt="AWS Firewall Manager Security" />
</div>
<!-- Header -->
<div class="header">
<div class="header-content">
<div class="header-icon"><img src="../icons/firewallmanager.svg" alt="AWS Firewall Manager Security" /></div>
<div>
<div>
<span class="header-title">AWS Firewall Manager Security</span>
<span class="header-badge">MANAGEMENT</span>
</div>
<p class="header-desc">AWS Firewall Manager is a centralized security management service that lets you configure and deploy firewall rules and protections across multiple accounts and resources in an AWS Organization. It manages WAF, Shield Advanced, VPC Security Groups, Network ACLs, Network Firewall, Route 53 Resolver DNS Firewall, and third-party firewalls.</p>
</div>
</div>
</div>
<!-- Stats -->
<div class="stats-row">
<div class="stat-card">
<div class="stat-value" style="color: #f87171;">HIGH</div>
<div class="stat-label">Risk Level</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #4ade80;">Org-wide</div>
<div class="stat-label">Scope</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #60a5fa;">WAF/SG/NF/DNS</div>
<div class="stat-label">Policy Types</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #c084fc;">Orgs + Config</div>
<div class="stat-label">Requires</div>
</div></div>
<!-- Overview -->
<div class="section"><h2><span style="color:#06b6d4;">📋</span> Service Overview</h2><div class="overview-grid">
<div>
<h4 style="color: #06b6d4;">Centralized Policy Management</h4>
<p>Firewall Manager enforces security policies across all accounts in an AWS Organization. Policies are automatically applied to new accounts and resources as they are added.</p>
<div class="attack-note"><span style="color:#06b6d4;">Attack note:</span> Compromising the FMS administrator account grants the ability to weaken or delete security policies across the entire organization in a single operation.</div>
</div>
<div>
<h4 style="color: #06b6d4;">Auto-Remediation and Scope Control</h4>
<p>Policies can automatically remediate non-compliant resources. Scope is controlled via account inclusion/exclusion maps, resource tags, and resource types.</p>
<div class="attack-note"><span style="color:#06b6d4;">Attack note:</span> An attacker with fms:PutPolicy can modify a policy's scope or disable remediation, leaving resources unprotected without triggering obvious alerts.</div>
</div></div></div>
<!-- Risk Assessment -->
<div class="section">
<h2>Security Risk Assessment</h2>
<div class="risk-gauge">
<div class="risk-bar-container">
<div class="risk-bar">
<div class="risk-bar-fill" style="width: 75%;"></div>
</div>
<div class="risk-labels"><span>Low</span><span>Medium</span><span>High</span><span>Critical</span></div>
</div>
<div class="risk-score">
<div class="risk-score-value">7.5</div>
<div class="risk-score-label">Risk Score</div>
</div>
</div>
<p class="risk-desc">Firewall Manager is an organization-wide security control plane. Compromise of the FMS administrator account can silently remove WAF rules, security group restrictions, and Network Firewall protections across every account in the organization.</p>
</div>
<!-- Main Panels -->
<div class="panels-grid">
<div class="panel" style="border-color: #f8717133;">
<h3 style="color: #f87171;">⚔️ Attack Vectors</h3><h4 style="color: #f87171;">Policy Manipulation</h4><ul><li><span class="bullet" style="color: #f87171;">•</span> Disable RemediationEnabled to stop auto-fix</li><li><span class="bullet" style="color: #f87171;">•</span> Change IncludeMap/ExcludeMap to narrow scope</li><li><span class="bullet" style="color: #f87171;">•</span> Switch policy rules to permissive configurations</li><li><span class="bullet" style="color: #f87171;">•</span> Delete critical policies with fms:DeletePolicy</li><li><span class="bullet" style="color: #f87171;">•</span> Narrow admin scope to push policies OUT_OF_ADMIN_SCOPE</li></ul><h4 style="color: #f87171;">Administrative Takeover</h4><ul><li><span class="bullet" style="color: #f87171;">•</span> fms:PutAdminAccount to register rogue administrator</li><li><span class="bullet" style="color: #f87171;">•</span> fms:AssociateAdminAccount to designate attacker as admin</li><li><span class="bullet" style="color: #f87171;">•</span> fms:DeleteNotificationChannel to suppress alerts</li><li><span class="bullet" style="color: #f87171;">•</span> fms:DisassociateAdminAccount to remove legitimate admin</li><li><span class="bullet" style="color: #f87171;">•</span> Modify admin scope to limit legitimate admin visibility</li></ul></div>
<div class="panel" style="border-color: #fb923c33;">
<h3 style="color: #fb923c;">⚠️ Misconfigurations</h3><h4 style="color: #fb923c;">Policy Scope Issues</h4><ul><li><span class="bullet" style="color: #fb923c;">•</span> RemediationEnabled set to false</li><li><span class="bullet" style="color: #fb923c;">•</span> Overly broad tag exclusions leaving resources unprotected</li><li><span class="bullet" style="color: #fb923c;">•</span> IncludeMap limited to subset of accounts</li><li><span class="bullet" style="color: #fb923c;">•</span> Policies created only in one Region</li><li><span class="bullet" style="color: #fb923c;">•</span> DeleteUnusedFMManagedResources set to false</li></ul><h4 style="color: #fb923c;">Operational Gaps</h4><ul><li><span class="bullet" style="color: #fb923c;">•</span> AWS Config not enabled in all accounts/Regions</li><li><span class="bullet" style="color: #fb923c;">•</span> No SNS notification channel configured</li><li><span class="bullet" style="color: #fb923c;">•</span> Security group policies in audit mode only</li><li><span class="bullet" style="color: #fb923c;">•</span> WAF policies using COUNT instead of BLOCK</li><li><span class="bullet" style="color: #fb923c;">•</span> Third-party firewall integration not verified</li></ul></div>
<div class="panel" style="border-color: #22d3ee33;">
<h3 style="color: #22d3ee;">🔍 Enumeration</h3><div class="cmd-block">
<div class="cmd-title">Identify FMS Administrator Account</div>
<pre><code>aws fms get-admin-account</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">List All FMS Policies</div>
<pre><code>aws fms list-policies</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Get Full Policy Details</div>
<pre><code>aws fms get-policy \
--policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">List Member Accounts Under FMS</div>
<pre><code>aws fms list-member-accounts</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Check Notification Channel</div>
<pre><code>aws fms get-notification-channel</code></pre>
</div></div>
<div class="panel" style="border-color: #c084fc33;">
<h3 style="color: #c084fc;">📈 Privilege Escalation</h3><h4 style="color: #c084fc;">fms:PutPolicy - Weaken Org Security</h4><ul><li><span class="bullet" style="color: #c084fc;">•</span> Modify existing policies to disable remediation</li><li><span class="bullet" style="color: #c084fc;">•</span> Narrow scope to exclude target accounts</li><li><span class="bullet" style="color: #c084fc;">•</span> Change managed service data to permissive rules</li><li><span class="bullet" style="color: #c084fc;">•</span> Remove security controls across all in-scope accounts</li></ul><h4 style="color: #c084fc;">fms:DeletePolicy - Remove Protections</h4><ul><li><span class="bullet" style="color: #c084fc;">•</span> Delete Firewall Manager policies at scale</li><li><span class="bullet" style="color: #c084fc;">•</span> Remove centrally managed WAF/SG/NF configurations</li><li><span class="bullet" style="color: #c084fc;">•</span> Combine with fms:DeleteNotificationChannel to go unnoticed</li><li><span class="bullet" style="color: #c084fc;">•</span> fms:AssociateAdminAccount to install own admin account</li></ul></div>
<div class="panel" style="border-color: #facc1533;">
<h3 style="color: #facc15;">🔗 Persistence</h3><h4 style="color: #facc15;">Weakening Policies</h4><ul><li><span class="bullet" style="color: #facc15;">•</span> Set RemediationEnabled to false on all policies</li><li><span class="bullet" style="color: #facc15;">•</span> Add broad tag exclusions to bypass protection</li><li><span class="bullet" style="color: #facc15;">•</span> Narrow IncludeMap to exclude critical accounts</li><li><span class="bullet" style="color: #facc15;">•</span> Delete notification channel to suppress alerts</li><li><span class="bullet" style="color: #facc15;">•</span> Switch WAF rules from BLOCK to COUNT</li></ul><h4 style="color: #facc15;">Administrative Takeover</h4><ul><li><span class="bullet" style="color: #facc15;">•</span> Register rogue FMS administrator account</li><li><span class="bullet" style="color: #facc15;">•</span> Disassociate legitimate admin account</li><li><span class="bullet" style="color: #facc15;">•</span> Modify admin scope to limit visibility</li><li><span class="bullet" style="color: #facc15;">•</span> Delete critical policies across organization</li><li><span class="bullet" style="color: #facc15;">•</span> Disable auto-remediation silently</li></ul></div>
<div class="panel" style="border-color: #4ade8033;">
<h3 style="color: #4ade80;">🛡️ Detection</h3><h4 style="color: #4ade80;">High-Impact CloudTrail Events</h4><ul><li><span class="bullet" style="color: #4ade80;">•</span> PutPolicy - policy created or modified</li><li><span class="bullet" style="color: #4ade80;">•</span> DeletePolicy - policy deleted</li><li><span class="bullet" style="color: #4ade80;">•</span> AssociateAdminAccount - admin account changed</li><li><span class="bullet" style="color: #4ade80;">•</span> DisassociateAdminAccount - admin removed</li><li><span class="bullet" style="color: #4ade80;">•</span> PutAdminAccount - admin account added</li></ul><h4 style="color: #4ade80;">Compliance Monitoring</h4><ul><li><span class="bullet" style="color: #4ade80;">•</span> DeleteNotificationChannel - alerts suppressed</li><li><span class="bullet" style="color: #4ade80;">•</span> ListComplianceStatus - check policy compliance</li><li><span class="bullet" style="color: #4ade80;">•</span> Policy scope changes via IncludeMap/ExcludeMap</li><li><span class="bullet" style="color: #4ade80;">•</span> RemediationEnabled toggle on policies</li><li><span class="bullet" style="color: #4ade80;">•</span> New FMS administrators via list-admin-accounts-for-organization</li></ul></div></div>
<!-- Exploitation -->
<div class="section"><h2><span style="color:#f87171;">💻</span> Exploitation Commands</h2><div class="cmd-grid"><div class="cmd-block">
<div class="cmd-title">Delete a Critical Policy</div>
<pre><code>aws fms delete-policy \
--policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Delete Notification Channel</div>
<pre><code>aws fms delete-notification-channel</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Disassociate Admin Account</div>
<pre><code>aws fms disassociate-admin-account</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">List All Admins for Recon</div>
<pre><code>aws fms list-admin-accounts-for-organization</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Check Compliance Status</div>
<pre><code>aws fms list-compliance-status \
--policy-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111</code></pre>
</div></div></div>
<!-- Policies -->
<div class="section"><h2><span style="color:#4ade80;">📜</span> Policy Examples</h2><div class="policy-grid"><div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
<div class="policy-header">
<span style="color: #f87171; font-size: 1.2em;">✗</span>
<span style="color: #f87171; font-weight: 600;">Dangerous - Broad FMS Exclusion, No Remediation</span>
</div>
<pre><code>{
"RemediationEnabled": false,
"ExcludeResourceTags": true,
"ExcludeMap": {
"ACCOUNT": ["111111111111", "222222222222"]
}
}</code></pre>
<p class="policy-desc">Remediation disabled, accounts excluded, and resources excluded by tag. Non-compliant resources are never fixed.</p>
</div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
<div class="policy-header">
<span style="color: #4ade80; font-size: 1.2em;">✓</span>
<span style="color: #4ade80; font-weight: 600;">Secure - Full Scope, Remediation Enabled</span>
</div>
<pre><code>{
"RemediationEnabled": true,
"ExcludeResourceTags": false,
"DeleteUnusedFMManagedResources": true,
"IncludeMap": {}
}</code></pre>
<p class="policy-desc">Remediation enabled, no exclusions, all accounts covered, orphaned resources cleaned up.</p>
</div></div></div>
<!-- Defenses -->
<div class="section"><h2><span style="color:#4ade80;">🛡️</span> Defense Recommendations</h2><div class="defense-grid"><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🔒</span>
<div>
<h4>Restrict FMS Administrative Permissions</h4>
<p>Limit fms:PutPolicy, fms:DeletePolicy, fms:AssociateAdminAccount to minimum principals. Use SCPs to block member account FMS writes.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">✅</span>
<div>
<h4>Enable Auto-Remediation on All Policies</h4>
<p>Set RemediationEnabled: true on every Firewall Manager policy. Audit-only mode is useful during rollout, but production must enforce.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🔔</span>
<div>
<h4>Configure SNS Notification Channel</h4>
<p>Use aws fms put-notification-channel to send compliance findings to an SNS topic monitored by your security team.</p>
<pre><code>aws fms put-notification-channel \
--sns-topic-arn arn:aws:sns:us-east-1:123456789012:fms-alerts \
--sns-role-name FMSSNSRole</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">⚙️</span>
<div>
<h4>Enable AWS Config in All Accounts</h4>
<p>FMS depends on AWS Config to detect resource compliance. Ensure Config is enabled in every account and Region.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">📝</span>
<div>
<h4>Monitor FMS API Calls with CloudTrail</h4>
<p>Alert on PutPolicy, DeletePolicy, AssociateAdminAccount, DisassociateAdminAccount, and DeleteNotificationChannel.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🌍</span>
<div>
<h4>Apply Policies Across All Regions</h4>
<p>FMS policies are Regional. Create policies in every Region where you have resources, or deny resource creation in uncovered Regions.</p>
</div>
</div>
</div></div></div>
<!-- Footer -->
<div class="footer">
<p>AWS Firewall Manager Security Security Card</p>
<p style="margin-top:0.25rem;">Always obtain proper authorization before testing</p>
</div>
</body>
</html>