Open genie9090 opened 1 year ago
erwaxler
commented
1 year ago Hi @genie9090 , thank you for creating this issue! I have created a ticket in the backlog to implement this functionality. Thank you for your interest in the Landing Zone Accelerator.
joshuahigginson1
commented
1 year ago Hi Team, I'm also coming up with this issue above.
Could anyone describe the current workaround? Would this be possible with customization-config.yaml?
erwaxler
commented
1 year ago Hi @joshuahigginson1 , that's correct the current recommended workaround would be to deploy this as a custom CloudFormation stack through LZA Customizations. For example implementations, please take a look at CloudFormationStackConfig.
genie9090
commented
1 year ago Hi @erwaxler, i ended up doing it with Firewall Manager Service (FMS), just in the console and not as IaC. You create a NFW policy in FMS and set it to Auto-remediate. This way everytime your LZA pipeline runs, LZA will update your current rules, and then FMS will detect this and auto apply your NFW managed rules. I found this easier than managing a custom CFN template in LZA code. basically a workaround until this feature goes in. if you use this method, the NFW 20 rule group limit can surprise you. Make sure your rule groups (LZA) + FMS rule groups <=20
wesmiles
commented
1 year ago Hi @erwaxler, when do you think this enhancement will be included in a release of LZA?
I've had a quick look at the workaround using the customization-config.yaml but I think I would end up managing the firewall, firewall policy and rule groups through this file rather than just adding the AWS managed rule groups that I want to add to a policy created in LZA. I'm thinking this would happen as these resources will have a dependency on each other resulting in multiple LZA pipelines runs.
I might be wrong but is it possible to reference resources created in LZA from cloud formation defined through customization-config.yaml? so ideally just referncing the policy defined in LZA with a couple of aws managed rule groups arn references.
Thanks
erwaxler
commented
1 year ago Hey @wesmiles , no update yet but I've flagged the issue for prioritization.
Some resources have ARNs or Ids stored in SSM Parameter Store, VPC's are a good example. We are working to catalog all values stored in SSM in our next documentation update, but I would check SSM as a first option to reference resources deployed by LZA.
samh1029
commented
3 months ago Any update on this?
Is your feature request related to a problem? Please describe. LZ does not have functionality to add AWS Managed NFW (network FW) rule groups to FW policy. It can create and add customer managed rule groups to the NFW policy, but not AWS managed.
Describe the feature you'd like In NfwFirewallPolicyConfig object, I would like a way to define AWS managed rules. by ARN would probably be easiest. You can see currently it is just by name and it must match a rule in the customer defined rules in LZ NfwRuleGroupConfig object.
Additional context This can be done with CFN, CFN can take the aws managed fw rule as a ResourceARN. an example CFN config; NFW-policy-test.txt
looks like this functionality is skipped in LZ. Also if you put them on manually in the console, it gets over riden with each pipeline run. For anyone else facing this issue, my work around is currently to put on a FMS policy that just puts the managed rules straight back on the NFW if it detects them coming off.