Question #728
A company is using AWS Organizations to manage multiple AWS accounts. A solutions architect needs to enforce a baseline security policy against the Open Web Application Security Project (OWASP) Top 10 web application vulnerabilities across all accounts. The architect plans to use AWS WAF for all existing and new Amazon CloudFront distributions within the organization. Which combination of steps should the solutions architect take to ensure the baseline protection? (Choose three.)
Enable AWS Config in all accounts
Enable Amazon Inspector in all accounts
Enable all features for the organization
Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions
Use AWS Shield Advanced to manage AWS WAF rules for all CloudFront distributions
Use AWS Security Hub to aggregate compliance findings for AWS WAF rules
Explanation
To enforce OWASP Top 10 compliance using AWS WAF across all accounts:
- A: Enable AWS Config to monitor and audit AWS WAF rule compliance across accounts.
- C: Enable all AWS Organizations features to activate service integrations like Firewall Manager.
- D: Use Firewall Manager to deploy WAF rules centrally for all CloudFront distributions.
Why others are incorrect:
- B (Inspector): Focuses on EC2/application vulnerabilities, not WAF rules.
- E (Shield Advanced): Manages DDoS protection, not WAF rule deployment.
- F (Security Hub): Aggregates findings but doesn't enforce policies.
Key Points:
1. AWS Organizations requires 'all features' enabled for Firewall Manager.
2. Firewall Manager automates WAF rule deployment at scale.
3. AWS Config ensures ongoing compliance monitoring.
Answer
The correct answer is: ACD