ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 53 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 53
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account. The company has AWS Config enabled on all of its accounts.

The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices. Developers will reference this list to gain access to their applications securely.

Which solution meets these requirements with the LEAST amount of operational overhead?

  • A. Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.
  • B. Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.
  • C. In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
  • D. In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by masetromain at Jan. 14, 2023, 12:53 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 2 years, 3 months ago
Selected Answer: C
The correct answer is option C. In this solution, a VPC prefix list is created in the transit account with all of the internal IP address ranges, and then shared to all of the other accounts using AWS Resource Access Manager. This allows for central management of the IP address ranges, and eliminates the need for manual updates to security group rules in each account. This solution also allows for compliance checks to be run using AWS Config and for any non-compliant security groups to be automatically remediated. Option A is not correct because it would require manual updates to the JSON file and would also require developers to manually update their security group rules, which would lead to operational overhead. Option B is not correct because it would require the creation of a new AWS Config managed rule and it would also require manual updates to the security group rules in each account. Option D is not correct because it would require manual updates to the security group in the transit account and it would also lead to operational overhead.
upvoted 24 times
jpa8300
1 year, 3 months ago
I agree that option C is probable the best one, but B is also correct, there is no manual updates to the SG, the remediation is automated in ASW Config. In option C you also need to manual update the prefix list, no? Imagine a new CIDR appears in the offices.
upvoted 1 times
chicagobeef
1 year, 3 months ago
I doubt all the security groups in the accounts will use the same CIDR ranges. They just need a way to centrally manage the CIDR prefixes. The question did not say that everyone has to comply and any non-compliant resources needs to be remdiated.
upvoted 2 times
...
...
...
Aritra88
Most Recent 4 months, 2 weeks ago
Selected Answer: C
A VPC Prefix List is a reusable, user-defined resource in Amazon Virtual Private Cloud (VPC) that contains a collection of IP address ranges. These ranges can represent destinations or sources for traffic, and the prefix list can be referenced in various configurations like security groups, route tables, or network ACLs.
upvoted 1 times
...
Tiger4Code
4 months, 3 weeks ago
Selected Answer: C
C: in the shared account create a VPC Prefix list, share it using RAM, then SGs can reference it
upvoted 1 times
...
amministrazione
7 months, 4 weeks ago
C. In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
upvoted 1 times
...
ninomfr64
1 year, 3 months ago
Selected Answer: C
Not A. This requires to maintain the JSON file, SNS topic in each account, Lambda to update SG. This is a lot of work, also not clear what accounts holds the S3 with the JSON Not B. I was not able to spot a managed AWS Config rule that could help in this case https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html (but I do not recall managed rule by hart and this doesn't sound like a remote use case, so in the exam this could trick me)
upvoted 2 times
ninomfr64
1 year, 3 months ago
Not D. You can reference a VPC SG in other account VPCs when you have VPC peering in place, this is not mentioned in the scenario https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html. Since there is a Transit Gateway involved it is unlikely to have VPC peering and the resources in a VPC attached to a transit gateway cannot access the security groups of a different VPC that is also attached to the same transit gateway https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html (this option initially was not bad for me) C works well as prefix lists are created exactly for this purpose https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
upvoted 2 times
...
...
NikkyDicky
1 year, 9 months ago
Selected Answer: C
C for sure
upvoted 1 times
...
Asds
1 year, 10 months ago
Selected Answer: C
Definitely prefix
upvoted 1 times
...
mfsec
2 years ago
Selected Answer: C
prefix list and RAM
upvoted 2 times
...
dev112233xx
2 years, 1 month ago
Selected Answer: C
C makes sense ✅
upvoted 2 times
...
zozza2023
2 years, 2 months ago
Selected Answer: C
https://www.examtopics.com/discussions/amazon/view/82131-exam-aws-certified-solutions-architect-professional-topic-1/
upvoted 2 times
...
AjayD123
2 years, 3 months ago
Selected Answer: C
https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-network-routing-and-security-administration-with-vpc-prefix-lists/#:~:text=A%20Prefix%20List%20is%20a,Resource%20Access%20Manager%20(RAM).
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago