Question 37
Domain 1: Design Solutions for Organizational ComplexityA company has an organization that has many AWS accounts in AWS Organizations A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization. The company has a common set of IP CIDR ranges in an allow list in each AWS account lo allow access to and from the company's on-premises network Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list. The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts Which solution meets these requirements with the LEAST amount of operational overhead.
Correct answer: B
Explanation
AWS Resource Access Manager supports “AWS resource sharing across environments,” and a customer-managed prefix list centralizes the CIDR allow list in one place. Sharing it to the organization lets each account reference the same prefix list ID in security groups, reducing per-account updates and operational overhead.
Why each option is right or wrong
A. Create new customer-managed prefix lists in each AWS account within the organization Populate the prefix lists in each account with all internal CIDR ranges Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups Instruct the security team to share updates with each AWS account owner.
Prefix lists are not duplicated per account when centralized sharing is the goal.
B. Create a new customer-managed prefix list in the security team's AWS account Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list.... organization by using AWS Resource Access Manager Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups
AWS Resource Access Manager (AWS RAM) is the cross-account sharing mechanism for supported resources, and customer-managed prefix lists are shareable so one centrally maintained CIDR set can be referenced by security groups in multiple accounts. Per the VPC prefix list model, the security team can update the list once in its own account and then share it to the AWS Organizations entity, avoiding per-account CIDR duplication and reducing the need for manual notifications and repeated security group edits.
C. Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team's AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.
Lambda and cross-account role updates modify each account separately, increasing operational effort.
D. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team's AWS account Deploy an AWS Lambda function in each AWS account Configure the Lambda function to run every time an SNS topic receives a message Configure the Lambda function to take an IP address as input and add it to a list of security groups in the account Instruct the security team to distribute changes by publishing messages to its SNS topic
SNS notifications do not distribute a shared security-group allow list across accounts.