How to enforce a security baseline for an AWS WAF ACL across your organization using AWS Firewall Manager
Security Blog
This article discusses how to enforce a security baseline for AWS WAF access control lists (ACLs) across an organization using AWS Firewall Manager.
Specifically, the article covers:
- Centrally managing firewall policies using AWS Firewall Manager and delegating administrators
- Creating a Firewall Manager policy as a security baseline with mandatory first and last rule groups, and allowing a custom middle rule group for specific application needs
- Defining the scope of the policy across accounts and resources
- Examples of rules to include in the first (e.g., IP reputation lists), middle (e.g., rate limits, OWASP rules), and last (e.g., allowed lists) rule groups
- Recommended approach for testing and tuning the WAF rules before enabling in production
- Cleanup steps to remove unnecessary policies and resources
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
May 7
2025
2025
Building your first AWS WAF web ACL to protect against evolving threats
Jul 8
2024
2024
Centrally manage VPC network ACL rules to block unwanted traffic using AWS Firewall Manager
Oct 25
2024
2024
AWS Firewall Manager now supports retrofitting of existing AWS WAF WebACLs
Jun 27
2025
2025
AWS Firewall Manager provides support for AWS WAF L7 DDOS managed rules
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.