Logo
AWS Certified Solutions Architect - Professional / Question #582 of 529

Question #582

A company uses AWS Organizations with multiple accounts, including a central security account. The security account has an AWS Network Firewall that is shared with all other accounts via AWS Resource Access Manager (RAM). The company needs to centrally manage a list of allowed domain names for outbound traffic, which developers must reference to allow access to their applications securely with the LEAST operational overhead.

A

Host a JSON file in Amazon S3 that lists the allowed domain names. Configure an Amazon SNS topic in each account to trigger an AWS Lambda function when the file is updated. The Lambda function updates the Network Firewall rules in all accounts with the new domains.
B

Create an AWS Config managed rule containing the allowed domain names. Use the rule to check and auto-remediate noncompliant Network Firewall policies in all accounts.
C

In the security account, create a Network Firewall rule group with the allowed domain names. Share the rule group with all other accounts via RAM. Reference the shared rule group in the Network Firewall policies of the other accounts.
D

In the security account, create a security group with rules allowing traffic to the allowed domain names. Configure the Network Firewall policies in other accounts to reference this security group using a nested security group reference.

Explanation

Option C is correct because AWS Network Firewall allows rule groups to be shared across accounts via AWS Resource Access Manager (RAM). By centralizing the rule group in the security account, updates to the allowed domain names propagate automatically to all associated accounts, ensuring consistent enforcement with minimal effort. This eliminates the need for cross-account automation (Option A), avoids reliance on AWS Config remediation (Option B), and resolves the technical limitation of security groups not supporting domain-based rules (Option D).

Key Points:
1. AWS Network Firewall rule groups can be shared across accounts using RAM.
2. Centralized rule management reduces operational overhead.
3. Security groups cannot filter traffic by domain names (only IP/ports).
4. Auto-remediation via AWS Config (Option B) is less efficient than native rule group sharing.

Answer

The correct answer is: C