When you get started from an AWS member account or AWS Firewall Manager account, you subscribe from your AWS Marketplace console to create a new Cloud NGFW tenant with your AWS account. You can also log in to an additional AWS account and again subscribe from your AWS Marketplace console to add an AWS account to an existing Cloud NGFW tenant.

This action establishes a billing link between the Cloud NGFW tenant and your AWS account. enabling metering records to be sent from Cloud NGFW to the AWS Marketplace Metering Service. Your Cloud NGFW resources remain intact during this transition.

When you subscribe from multiple AWS accounts to the same Cloud NGFW tenant, the Cloud NGFW tenant centralizes billing using the subscribed AWS accounts. If the first account unsubscribes, the Cloud NGFW platform dynamically selects the second subscribed account for sending metering and overage records.

For more information, see

You can also onboard up to 200 AWS accounts to the tenant by establishing cross-account access using AWS IAM roles that allow Cloud NGFW to access AWS resources (for storing logs in CloudWatch log groups, or Kinesis Firehose, for accessing decryption certificates in AWS Secrets Manager, harvesting resource tags, and optionally creating and managing NGFW endpoints) in the AWS account.

Each onboarded account must provide specific IAM roles and permissions to the Cloud NGFW service for granular administration and control. From then on, all administrative actions are governed by AWS IAM policies, ensuring secure and auditable delegation of permissions.

When creating a Cloud NGFW resource, you can add one or more of your AWS accounts to its allow-list. From then on, a VPC endpoint service, corresponding to the Cloud NGFW resource, will manifest in your (allow-listed) AWS account(s). You can then create endpoints in your VPC to redirect traffic to the Cloud NGFW resources.