Centralized Web Application Firewall Management

Managing AWS WAF rules individually across dozens of Application Load Balancers and CloudFront distributions is highly inefficient. If a new zero-day vulnerability like Log4j emerges, security teams need the ability to instantly deploy protective rules across the entire organizational infrastructure.

AWS Firewall Manager allows security administrators to centrally configure and manage firewall rules across multiple accounts within an AWS Organization. You can create security policies that automatically enforce WAF rule sets on newly created resources, ensuring no application is deployed without baseline DDoS and OWASP protection.

Implementing this requires setting up AWS Organizations and delegating an administrator account. In Terraform, you define an `aws_fms_policy` that dictates the specific WAFv2 WebACL to apply, and target it at specific resource types (like ALB or CloudFront) across your entire organizational boundary.

resource "aws_fms_policy" "global_waf" {
  name                  = "Global-WAF-Protection"
  exclude_resource_tags = false
  remediation_enabled   = true
  resource_type         = "AWS::ElasticLoadBalancingV2::LoadBalancer"

  security_service_policy_data {
    type = "WAFV2"
    managed_service_data = jsonencode({
      type = "WAFV2"
      preProcessRuleGroups = [{
        ruleGroupArn = aws_wafv2_rule_group.owasp_top_10.arn
        overrideAction = { type = "NONE" }
        managedRuleGroupIdentifier = null
      }]
      postProcessRuleGroups = []
      defaultAction = { type = "ALLOW" }
    })
  }
}