7.2.3. Centralized Policy Enforcement
First Principle: Security policies must be defined once and enforced everywhere — not duplicated in each account. Centralized enforcement ensures consistency and eliminates the risk of accounts with weaker configurations.
AWS Firewall Manager:
- Centrally manages WAF rules, security groups, Network Firewall rules, Shield Advanced, and DNS Firewall across all accounts
- WAF policies: Deploy consistent WAF rules to all ALBs/CloudFront distributions
- Security group policies: Enforce baseline security group rules, audit and clean up unused groups
- Network Firewall policies: Deploy firewall rules across all VPCs
- Automatically applies to new resources as they're created
Centralized Enforcement Architecture:
| What to Enforce | Service | Scope |
|---|---|---|
| WAF rules on all ALBs | Firewall Manager WAF policies | Organization-wide |
| Baseline security groups | Firewall Manager SG policies | OU-based |
| Network firewall rules | Firewall Manager NF policies | VPC-based |
| DDoS protection | Firewall Manager Shield policies | Resource-based |
| DNS filtering | Firewall Manager DNS policies | VPC-based |
⚠️ Exam Trap: Firewall Manager manages WAF rules, security groups, and Network Firewall centrally. It requires AWS Organizations and Config. If a question asks about "centrally deploying WAF rules across all accounts," Firewall Manager is the answer.
Scenario: The security team needs to ensure every ALB in the organization has OWASP Top 10 WAF protection. They create a Firewall Manager WAF policy with the Core Rule Set, scoped to the Workloads OU. Every existing and future ALB automatically receives the WAF Web ACL.
Reflection Question: How does Firewall Manager's auto-remediation capability prevent the common problem of "we deployed the rule but someone removed it later"?
