AWS Firewall Manager 策略更新指南

📋 更新 Firewall Manager 策略的流程

1. 获取现有策略信息

# 列出所有策略
aws fms list-policies --region ap-northeast-1

# 获取特定策略的详细信息
aws fms get-policy --policy-id "策略ID" --region ap-northeast-1

2. 更新 Network Firewall 策略

#!/bin/bash
# 更新 Network Firewall 策略示例

REGION="ap-northeast-1"
POLICY_NAME="OrgWideNetworkFirewallPolicy"

# 获取现有策略ID
POLICY_ID=$(aws fms list-policies --region $REGION \
  --query "PolicyList[?PolicyName=='$POLICY_NAME' && SecurityServiceType=='NETWORK_FIREWALL'].PolicyId" \
  --output text)

if [ -z "$POLICY_ID" ] || [ "$POLICY_ID" = "None" ]; then
  echo "❌ 未找到策略: $POLICY_NAME"
  exit 1
fi

echo "找到策略ID: $POLICY_ID"

# 获取策略详情和UpdateToken
POLICY_DETAIL=$(aws fms get-policy --policy-id "$POLICY_ID" --region $REGION)
UPDATE_TOKEN=$(echo "$POLICY_DETAIL" | jq -r '.Policy.PolicyUpdateToken')

echo "获取到UpdateToken: $UPDATE_TOKEN"

# 更新策略(示例:添加排除默认VPC的配置)
aws fms put-policy --region $REGION --policy '{
  "PolicyId": "'$POLICY_ID'",
  "PolicyUpdateToken": "'$UPDATE_TOKEN'",
  "PolicyName": "OrgWideNetworkFirewallPolicy",
  "SecurityServicePolicyData": {
    "Type": "NETWORK_FIREWALL",
    "ManagedServiceData": "{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:'$REGION':账号ID:stateless-rulegroup/OrgWideStatelessRules\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\"],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:'$REGION':账号ID:stateful-rulegroup/OrgWideStatefulRules\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\"],\"routeManagementAction\":\"OFF\"}}"
  },
  "ResourceType": "AWS::EC2::VPC",
  "ResourceTags": [
    {
      "Key": "VpcType",
      "Value": "default"
    }
  ],
  "ExcludeResourceTags": true,
  "RemediationEnabled": true,
  "DeleteUnusedFMManagedResources": false,
  "IncludeMap": {
    "ORG_UNIT": ["ou-xxxxxxxxx"]
  }
}'

echo "✅ 策略更新完成"

📋 常用更新场景

🔧 场景1:排除默认VPC

# 1. 给默认VPC添加标签
aws ec2 create-tags \
  --resources vpc-xxxxxxxxx \
  --tags Key=VpcType,Value=default \
  --region ap-northeast-1

# 2. 更新策略添加排除配置
# 在上面的put-policy命令中添加:
# "ResourceTags": [{"Key": "VpcType", "Value": "default"}],
# "ExcludeResourceTags": true

🔧 场景2:更新规则组引用

# 获取新的规则组ARN
NEW_STATEFUL_ARN=$(aws network-firewall describe-rule-group \
  --rule-group-name "UpdatedStatefulRules" \
  --type STATEFUL \
  --region ap-northeast-1 \
  --query 'RuleGroupResponse.RuleGroupArn' \
  --output text)

# 在ManagedServiceData中更新ARN引用

🔧 场景3:修改策略范围

# 更新IncludeMap指向新的OU
# "IncludeMap": {
#   "ORG_UNIT": ["ou-新的OU-ID"]
# }

📋 使用策略文件更新

1. 创建更新脚本

#!/bin/```bash
# update-firewall-policy.sh

REGION="ap-northeast-1"
POLICY_FILE="policies/network-firewall-policy-exclude-default-vpc.json"

# 检查策略文件是否存在
if [ ! -f "$POLICY_FILE" ]; then
  echo "❌ 策略文件不存在: $POLICY_FILE"
  exit 1
fi

# 获取现有策略
EXISTING_POLICY=$(aws fms list-policies --region $REGION \
  --query 'PolicyList[?PolicyName==`OrgWideNetworkFirewallPolicy` && SecurityServiceType==`NETWORK_FIREWALL`]' \
  --output json)

if [ "$EXISTING_POLICY" = "[]" ]; then
  echo "❌ 未找到现有的Network Firewall策略"
  exit 1
fi

POLICY_ID=$(echo "$EXISTING_POLICY" | jq -r '.[0].PolicyId')
echo "找到策略ID: $POLICY_ID"

# 获取UpdateToken
POLICY_DETAIL=$(aws fms get-policy --policy-id "$POLICY_ID" --region $REGION)
UPDATE_TOKEN=$(echo "$POLICY_DETAIL" | jq -r '.Policy.PolicyUpdateToken')

# 创建临时更新文件
TEMP_FILE="/tmp/update-policy-$(date +%s).json"
jq --arg policy_id "$POLICY_ID" --arg update_token "$UPDATE_TOKEN" \
  '. + {PolicyId: $policy_id, PolicyUpdateToken: $update_token}' \
  "$POLICY_FILE" > "$TEMP_FILE"

# 执行更新
echo "更新策略..."
aws fms put-policy --policy file://"$TEMP_FILE" --region $REGION

# 清理临时文件
rm -f "$TEMP_FILE"

echo "✅ 策略更新完成"

2. 使用方法

# 给脚本执行权限
chmod +x update-firewall-policy.sh

# 执行更新
./update-firewall-policy.sh

📋 验证更新结果

# 检查策略状态
aws fms get-policy --policy-id "策略ID" --region ap-northeast-1

# 检查合规状态
aws fms list-compliance-status --policy-id "策略ID" --region ap-northeast-1

# 等待重新评估完成(5-15分钟)
watch -n 30 'aws fms list-compliance-status --policy-id "策略ID" --region ap-northeast-1'

⚠️ 重要注意事项

  1. 必须包含PolicyId和PolicyUpdateToken:

    {
    "PolicyId": "现有策略的ID",
    "PolicyUpdateToken": "从get-policy获取的token",
    ...其他配置
    }
  2. UpdateToken会在每次更新后变化:
    • 每次更新前都要重新获取
    • 使用过期的token会导致更新失败

  3. 策略更新后的行为:
    • 策略ID保持不变
    • 防火墙实例保留(就地更新)
    • 需要等待5-15分钟重新评估

  4. 备份现有策略:

 aws fms get-policy --policy-id "策略ID" --region ap-northeast-1 > backup-policy-$(date +%Y%m%d).json
Previous Post
No Comment
Add Comment
comment url