AWS Certified Solutions Architect - Associate / Question #1676 of 1019

Question #1676

A company manages multiple AWS accounts within an organization using AWS Organizations. The company has several global offices and needs to centrally manage security group rules to include new office CIDR ranges or remove outdated ones. The goal is to minimize administrative effort and costs when updating CIDR ranges across all accounts. Which solution MOST cost-effectively meets these requirements?

A

Deploy security groups in a central administrative account and share them across the organization using AWS Resource Access Manager (AWS RAM). Update these security groups manually when CIDR ranges change.

B

Create a customer-managed prefix list containing the CIDR ranges. Share the prefix list across the organization using AWS RAM. Reference the prefix list in all security group rules.

C

Use AWS Config to monitor CIDR range changes and trigger AWS Lambda functions to automatically update security groups in all accounts. Configure Amazon EventBridge to route change notifications.

D

Implement AWS Firewall Manager to create a security group policy that enforces CIDR ranges across the organization. Update the policy manually when CIDR ranges change.

Explanation

Answer B is correct because:
1. Customer-managed prefix lists enable grouping CIDR ranges into reusable IP sets. When updated, all security group rules referencing the prefix list inherit changes automatically.
2. AWS RAM allows sharing the prefix list across the organization, ensuring consistency without manual replication.
3. Cost-effectiveness: No need for additional services (e.g., AWS Config, Lambda, EventBridge), reducing complexity and operational costs.

Why other options are incorrect:
- A: Manually updating shared security groups is error-prone and time-consuming.
- C: AWS Config + Lambda introduces complexity, ongoing costs, and maintenance overhead.
- D: Firewall Manager requires manual policy updates and is less efficient for CIDR management.

Key Points: Use prefix lists for centralized CIDR management; AWS RAM enables cross-account sharing with minimal effort.

Answer

The correct answer is: B