AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A company is managing its AWS infrastructure using AWS Organizations with a multi-account strategy. They have no on-premises infrastructure and all workloads are hosted on AWS. Currently, they have eight member accounts and expect to maintain no more than 20 accounts in total. The company has introduced a new security policy with the following stipulations: 1) No individual AWS account should utilize its own VPC for hosting workloads. 2) A centrally managed VPC should be established for all accounts to access and deploy workloads within designated subnets. 3) No account should possess the ability to alter another account's resources within this shared VPC. 4) The centrally managed VPC must be located in an existing account named Account-A within the organization. To facilitate this, the company has created a VPC in Account-A using an AWS CloudFormation template, which includes multiple subnets and exports their IDs via the CloudFormation Outputs section. What solution should be implemented to fulfill these security requirements?
A company is managing its AWS infrastructure using AWS Organizations with a multi-account strategy. They have no on-premises infrastructure and all workloads are hosted on AWS. Currently, they have eight member accounts and expect to maintain no more than 20 accounts in total. The company has introduced a new security policy with the following stipulations: 1) No individual AWS account should utilize its own VPC for hosting workloads. 2) A centrally managed VPC should be established for all accounts to access and deploy workloads within designated subnets. 3) No account should possess the ability to alter another account's resources within this shared VPC. 4) The centrally managed VPC must be located in an existing account named Account-A within the organization. To facilitate this, the company has created a VPC in Account-A using an AWS CloudFormation template, which includes multiple subnets and exports their IDs via the CloudFormation Outputs section. What solution should be implemented to fulfill these security requirements?
Explanation:
The correct answer is C. AWS Resource Access Manager (AWS RAM) allows you to share AWS resources with other AWS accounts. In this case, you can use AWS RAM to share the VPC subnets in Account-A with the other member accounts, allowing them to use these shared subnets for their workloads. This approach ensures that no single AWS account's application resources can be modified by another account, fulfilling the security policy requirements. Other options like using a CloudFormation template with Fn::ImportValue, a transit gateway, or VPC peering connections are less suitable because they may involve more complex configurations or don't fully meet the requirement of centrally managed shared access without modifying each other's resources.