Answer-first summary for fast verification
Answer: Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address range. Update the prefix list with the new IP address range when the company adds a new partner.
The most operationally efficient solution to centrally manage the partner network IP address ranges across multiple AWS accounts is to use a prefix list shared across accounts via AWS Resource Access Manager (AWS RAM). This approach allows for centralized management of IP address ranges, reducing the need to manually update security groups in each account. When a new partner is added, updating the prefix list automatically propagates the changes to all associated security groups across accounts. This method is more efficient than using DynamoDB or S3 with Lambda functions for updates, as it leverages AWS's native capabilities for resource sharing and management, minimizing operational overhead and potential for errors. Option C correctly implements this solution by creating a prefix list, sharing it across accounts using AWS RAM, and updating security groups to reference the prefix list. This ensures that any updates to the prefix list are automatically reflected in the security groups of all accounts, making it the most operationally efficient solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company operates multiple production applications across various AWS accounts, all within the us-east-1 Region. These applications are accessible only to specific partner companies and are hosted on Amazon EC2 instances within an Auto Scaling group behind an Application Load Balancer (ALB). The EC2 instances reside in private subnets and are configured to accept traffic solely from the ALB. The ALB, located in a public subnet, permits inbound traffic exclusively from partner network IP address ranges over port 80.
Currently, when a new partner is added, the company must update the security group associated with the ALB in each account to include the partner's IP address range. A network engineer needs to implement a solution to centrally manage these partner network IP address ranges.
What is the MOST operationally efficient solution to meet these requirements?
A
Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated. Update the DynamoDB table with the new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IP address ranges and security groups from the DynamoDB table to update the security groups. Deploy this solution in all accounts.
B
Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use Amazon EventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix list. Deploy this solution in all accounts.
C
Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address range. Update the prefix list with the new IP address range when the company adds a new partner.
D
Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated. Update the S3 bucket with the new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IP address ranges and security groups from the S3 bucket to update the security groups. Deploy this solution in all accounts.