Answer-first summary for fast verification
Answer: Create a VPC customer managed prefix list that contains the list of CIDRs. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Use the prefix list in the security groups across the organization.
## Explanation **Option B is the most cost-effective solution** because it uses VPC customer managed prefix lists with AWS Resource Access Manager (RAM) to centrally manage CIDR ranges across the organization. ### Why Option B is correct: 1. **Centralized Management**: A customer managed prefix list allows you to maintain a single list of CIDR ranges that can be referenced by security groups across multiple accounts. 2. **Cross-Account Sharing**: AWS RAM enables sharing of prefix lists across accounts in the same AWS Organization at no additional cost. 3. **Single Update Point**: When office CIDR ranges change, you only need to update the prefix list once, and all security groups referencing that prefix list will automatically use the updated CIDR ranges. 4. **Cost-Effective**: AWS RAM sharing is free, and prefix lists have minimal costs associated with them. 5. **Scalable**: This solution scales well as the organization grows and adds more accounts. ### Why other options are less optimal: **Option A**: Creating security groups in the management account doesn't help because security groups cannot be shared across accounts. You would need to manually update security groups in every account. **Option C**: AWS managed prefix lists are not customizable - they are maintained by AWS for specific services. Security Hub policies and Lambda functions add unnecessary complexity and cost. **Option D**: AWS Firewall Manager requires AWS Organizations and has additional costs. While it can manage security groups across accounts, it's more complex and expensive than the prefix list + RAM solution. ### Key AWS Services Used: - **VPC Customer Managed Prefix Lists**: Allow you to create your own IP address ranges as a single object - **AWS Resource Access Manager (RAM)**: Enables sharing of AWS resources across accounts within an organization - **Security Groups**: Can reference prefix lists as source/destination in rules This solution provides the centralized management with minimal administrative overhead and cost, meeting all requirements effectively.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has multiple AWS accounts in an organization in AWS Organizations that different business units use. The company has multiple offices around the world. The company needs to update security group rules to allow new office CIDR ranges or to remove old CIDR ranges across the organization. The company wants to centralize the management of security group rules to minimize the administrative overhead that updating CIDR ranges requires.
Which solution will meet these requirements MOST cost-effectively?
A
Create VPC security groups in the organization's management account. Update the security groups when a CIDR range update is necessary.
B
Create a VPC customer managed prefix list that contains the list of CIDRs. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Use the prefix list in the security groups across the organization.
C
Create an AWS managed prefix list. Use an AWS Security Hub policy to enforce the security group update across the organization. Use an AWS Lambda function to update the prefix list automatically when the CIDR ranges change.
D
Create security groups in a central administrative AWS account. Create an AWS Firewall Manager common security group policy for the whole organization. Select the previously created security groups as primary groups in the policy.