Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 110 discussion

The correct answer is A. In this solution, AWS Firewall Manager is used to manage AWS WAF rules across accounts in the organization. An AWS Systems Manager Parameter Store parameter is used to store account numbers and OUs to manage. This parameter can be updated as needed to add or remove accounts or OUs. An Amazon EventBridge rule is used to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account. This solution allows for easy management of AWS WAF rules across multiple accounts with minimal operational overhead.

https://aws.amazon.com/solutions/implementations/automations-for-aws-firewall-manager/

Correct answer is B. I would have said A like everyone else, but correct answer was provided in Udemy practice exam. Thanks to Organization structure, Config rules apply automatically to newly added accounts (fulfills requirements: least amount of operational overhead (as opposed to A - manually maintaining accounts and OU list). As often, AWS exam answers are partially off-track, a real-life deployment would be a clever combination of both A & B answers, using FW manager, Config and Cloudformation. https://aws.amazon.com/blogs/security/use-aws-firewall-manager-to-deploy-protection-at-scale-in-aws-organizations/

A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.

Option A

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations Firewall Manager supports wide variety of services, including: ● AWS WAF ● VPC Security Groups ● AWS Network Firewall ● Route53 DNS Firewall ● AWS Shield Advanced ● Palo Alto Cloud Next-generation firewalls The Prerequisites are: AWS Organizations + AWS Config.

I have to say A is right. please take a look at this: https://aws.amazon.com/blogs/security/centrally-manage-aws-waf-api-v2-and-aws-managed-rules-at-scale-with-firewall-manager/

A is a good option

keyword == AWS Firewall Manager

the correct answer is A https://docs.aws.amazon.com/solutions/latest/automations-for-aws-firewall-manager/architecture-overview.html

This is a complex question. But I voted A because the Firewall manager seems to be the correct way to centralize the rules across accounts. Below are some interesting references I could find https://catalog.us-east-1.prod.workshops.aws/workshops/4cbaea3b-ceba-48e3-bd56-eca138f7a66c/en-US https://aws.amazon.com/blogs/security/use-aws-firewall-manager-vpc-security-groups-to-protect-applications-hosted-on-ec2-instances/ https://aws.amazon.com/blogs/security/automatically-updating-aws-waf-rule-in-real-time-using-amazon-eventbridge/

Use AWS Firewall Manager to manage AWS WAF rules

Not D, KMS to store account numbers ?

The correct answer is A.