Firewall Manager Policy Scoping with Tags

Automatically tag AWS resources to enable tag-based scoping for AWS Firewall Manager policies.

Overview

AWS Firewall Manager allows you to use resource tags to control which resources are included in or excluded from security policies (AWS WAF, Shield Advanced, Security Groups, Network ACLs, Network Firewall, DNS Firewall, and third-party firewalls). TagOps can automatically apply the tags required for policy scoping, ensuring resources are consistently included or excluded from security policies based on your organizational requirements.

What TagOps Can Do

TagOps can automatically tag AWS resources with the tags required for Firewall Manager policy scoping:

  • Automatic Tagging: TagOps rules automatically apply policy scope tags to resources when they are created or discovered
  • Include/Exclude Resources: Tag resources to include or exclude them from Firewall Manager policies (e.g., FirewallPolicy: Required, FirewallPolicy: Excluded)
  • Environment-Based Scoping: Use different tag values for different environments to enable separate policy configurations (e.g., Environment: Production for stricter policies, Environment: Development for relaxed policies)
  • Service-Specific Tagging: Tag specific resource types (CloudFront distributions, Application Load Balancers, API Gateways, etc.) with policy scope tags based on your security requirements
  • Consistent Coverage: Ensure all resources that should be protected have the required tags, preventing gaps in security policy enforcement
  • Multi-Policy Support: Tag resources with multiple tags to enable different policies for different resource types or environments

Example TagOps Rule

Create a TagOps rule to automatically tag resources for Firewall Manager policy scoping:

  • Condition: Resource type is cloudfront:distribution and tag Environment equals Production
  • Action: Add tag FirewallPolicy: Required

TagOps will automatically apply these tags to resources, which Firewall Manager can then use to scope policies. You can configure Firewall Manager policies to include only resources with specific tag values, ensuring consistent security policy enforcement across your organization.

Additional Resources