AWS Firewall Manager 策略更新指南
📋 更新 Firewall Manager 策略的流程
1. 获取现有策略信息
# 列出所有策略
aws fms list-policies --region ap-northeast-1
# 获取特定策略的详细信息
aws fms get-policy --policy-id "策略ID" --region ap-northeast-1
2. 更新 Network Firewall 策略
#!/bin/bash
# 更新 Network Firewall 策略示例
REGION="ap-northeast-1"
POLICY_NAME="OrgWideNetworkFirewallPolicy"
# 获取现有策略ID
POLICY_ID=$(aws fms list-policies --region $REGION \
--query "PolicyList[?PolicyName=='$POLICY_NAME' && SecurityServiceType=='NETWORK_FIREWALL'].PolicyId" \
--output text)
if [ -z "$POLICY_ID" ] || [ "$POLICY_ID" = "None" ]; then
echo "❌ 未找到策略: $POLICY_NAME"
exit 1
fi
echo "找到策略ID: $POLICY_ID"
# 获取策略详情和UpdateToken
POLICY_DETAIL=$(aws fms get-policy --policy-id "$POLICY_ID" --region $REGION)
UPDATE_TOKEN=$(echo "$POLICY_DETAIL" | jq -r '.Policy.PolicyUpdateToken')
echo "获取到UpdateToken: $UPDATE_TOKEN"
# 更新策略(示例:添加排除默认VPC的配置)
aws fms put-policy --region $REGION --policy '{
"PolicyId": "'$POLICY_ID'",
"PolicyUpdateToken": "'$UPDATE_TOKEN'",
"PolicyName": "OrgWideNetworkFirewallPolicy",
"SecurityServicePolicyData": {
"Type": "NETWORK_FIREWALL",
"ManagedServiceData": "{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:'$REGION':账号ID:stateless-rulegroup/OrgWideStatelessRules\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\"],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:'$REGION':账号ID:stateful-rulegroup/OrgWideStatefulRules\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\"],\"routeManagementAction\":\"OFF\"}}"
},
"ResourceType": "AWS::EC2::VPC",
"ResourceTags": [
{
"Key": "VpcType",
"Value": "default"
}
],
"ExcludeResourceTags": true,
"RemediationEnabled": true,
"DeleteUnusedFMManagedResources": false,
"IncludeMap": {
"ORG_UNIT": ["ou-xxxxxxxxx"]
}
}'
echo "✅ 策略更新完成"
📋 常用更新场景
🔧 场景1:排除默认VPC
# 1. 给默认VPC添加标签
aws ec2 create-tags \
--resources vpc-xxxxxxxxx \
--tags Key=VpcType,Value=default \
--region ap-northeast-1
# 2. 更新策略添加排除配置
# 在上面的put-policy命令中添加:
# "ResourceTags": [{"Key": "VpcType", "Value": "default"}],
# "ExcludeResourceTags": true
🔧 场景2:更新规则组引用
# 获取新的规则组ARN
NEW_STATEFUL_ARN=$(aws network-firewall describe-rule-group \
--rule-group-name "UpdatedStatefulRules" \
--type STATEFUL \
--region ap-northeast-1 \
--query 'RuleGroupResponse.RuleGroupArn' \
--output text)
# 在ManagedServiceData中更新ARN引用
🔧 场景3:修改策略范围
# 更新IncludeMap指向新的OU
# "IncludeMap": {
# "ORG_UNIT": ["ou-新的OU-ID"]
# }
📋 使用策略文件更新
1. 创建更新脚本
#!/bin/```bash
# update-firewall-policy.sh
REGION="ap-northeast-1"
POLICY_FILE="policies/network-firewall-policy-exclude-default-vpc.json"
# 检查策略文件是否存在
if [ ! -f "$POLICY_FILE" ]; then
echo "❌ 策略文件不存在: $POLICY_FILE"
exit 1
fi
# 获取现有策略
EXISTING_POLICY=$(aws fms list-policies --region $REGION \
--query 'PolicyList[?PolicyName==`OrgWideNetworkFirewallPolicy` && SecurityServiceType==`NETWORK_FIREWALL`]' \
--output json)
if [ "$EXISTING_POLICY" = "[]" ]; then
echo "❌ 未找到现有的Network Firewall策略"
exit 1
fi
POLICY_ID=$(echo "$EXISTING_POLICY" | jq -r '.[0].PolicyId')
echo "找到策略ID: $POLICY_ID"
# 获取UpdateToken
POLICY_DETAIL=$(aws fms get-policy --policy-id "$POLICY_ID" --region $REGION)
UPDATE_TOKEN=$(echo "$POLICY_DETAIL" | jq -r '.Policy.PolicyUpdateToken')
# 创建临时更新文件
TEMP_FILE="/tmp/update-policy-$(date +%s).json"
jq --arg policy_id "$POLICY_ID" --arg update_token "$UPDATE_TOKEN" \
'. + {PolicyId: $policy_id, PolicyUpdateToken: $update_token}' \
"$POLICY_FILE" > "$TEMP_FILE"
# 执行更新
echo "更新策略..."
aws fms put-policy --policy file://"$TEMP_FILE" --region $REGION
# 清理临时文件
rm -f "$TEMP_FILE"
echo "✅ 策略更新完成"
2. 使用方法
# 给脚本执行权限
chmod +x update-firewall-policy.sh
# 执行更新
./update-firewall-policy.sh
📋 验证更新结果
# 检查策略状态
aws fms get-policy --policy-id "策略ID" --region ap-northeast-1
# 检查合规状态
aws fms list-compliance-status --policy-id "策略ID" --region ap-northeast-1
# 等待重新评估完成(5-15分钟)
watch -n 30 'aws fms list-compliance-status --policy-id "策略ID" --region ap-northeast-1'
⚠️ 重要注意事项
必须包含PolicyId和PolicyUpdateToken:
{
"PolicyId": "现有策略的ID",
"PolicyUpdateToken": "从get-policy获取的token",
...其他配置
}UpdateToken会在每次更新后变化:
• 每次更新前都要重新获取
• 使用过期的token会导致更新失败策略更新后的行为:
• 策略ID保持不变
• 防火墙实例保留(就地更新)
• 需要等待5-15分钟重新评估备份现有策略:
aws fms get-policy --policy-id "策略ID" --region ap-northeast-1 > backup-policy-$(date +%Y%m%d).json