Skip to content
Alchemy
GitHubXDiscordRSS

Policy

The Policy resource lets you manage AWS Firewall Manager Policies for enforcing rules across your AWS accounts and resources.

Minimal Example

Section titled “Minimal Example”

Create a basic FMS policy with essential properties including a description and tags.

import AWS from "alchemy/aws/control";


const fmsPolicy = await AWS.FMS.Policy("basicFmsPolicy", {
  PolicyName: "BasicFMSPolicy",
  PolicyDescription: "A basic policy for managing firewall rules.",
  RemediationEnabled: true,
  SecurityServicePolicyData: {
    Type: "WAF",
    WafPolicy: {
      WafWebAclArn: "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/abcdefg1-2345-6789-abcd-ef1234567890"
    }
  },
  ExcludeResourceTags: false,
  ResourceTags: [
    { Key: "Environment", Value: "Production" }
  ]
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a policy with additional options including resource cleanup and an include map for tag-based resource selection.

const advancedFmsPolicy = await AWS.FMS.Policy("advancedFmsPolicy", {
  PolicyName: "AdvancedFMSPolicy",
  PolicyDescription: "An advanced policy with resource cleanup and specific tags.",
  RemediationEnabled: true,
  ResourcesCleanUp: true,
  SecurityServicePolicyData: {
    Type: "WAF",
    WafPolicy: {
      WafWebAclArn: "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/abcdefg2-2345-6789-abcd-ef1234567890"
    }
  },
  ExcludeResourceTags: false,
  IncludeMap: {
    "resourceType": ["AWS::EC2::Instance"],
    "resourceTag": {"Key": "Environment", "Value": "Production"}
  },
  ResourceTags: [
    { Key: "Application", Value: "WebApp" }
  ]
});

Custom Resource Set Configuration

Section titled “Custom Resource Set Configuration”

Create a policy that applies to a specific set of resources using resource set IDs.

const resourceSetPolicy = await AWS.FMS.Policy("resourceSetFmsPolicy", {
  PolicyName: "ResourceSetFMSPolicy",
  PolicyDescription: "Policy targeting specific resource sets.",
  RemediationEnabled: true,
  ResourceSetIds: [
    "resource-set-id-1",
    "resource-set-id-2"
  ],
  SecurityServicePolicyData: {
    Type: "WAF",
    WafPolicy: {
      WafWebAclArn: "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/abcdefg3-2345-6789-abcd-ef1234567890"
    }
  },
  ExcludeResourceTags: true
});

Tagging Policies

Section titled “Tagging Policies”

Demonstrate how to apply tags to manage policies effectively.

const taggedFmsPolicy = await AWS.FMS.Policy("taggedFmsPolicy", {
  PolicyName: "TaggedFMSPolicy",
  PolicyDescription: "A policy with specific tags to manage resources.",
  RemediationEnabled: false,
  SecurityServicePolicyData: {
    Type: "WAF",
    WafPolicy: {
      WafWebAclArn: "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/abcdefg4-2345-6789-abcd-ef1234567890"
    }
  },
  ExcludeResourceTags: false,
  ResourceTags: [
    { Key: "Project", Value: "Security" },
    { Key: "Owner", Value: "TeamA" }
  ]
});