exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 110 discussion

A company wants to deploy an AWS WAF solution to manage AWS WAF rules across multiple AWS accounts. The accounts are managed under different OUs in AWS Organizations.

Administrators must be able to add or remove accounts or OUs from managed AWS WAF rule sets as needed. Administrators also must have the ability to automatically update and remediate noncompliant AWS WAF rules in all accounts.

Which solution meets these requirements with the LEAST amount of operational overhead?

  • A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.
  • B. Deploy an organization-wide AWS Config rule that requires all resources in the selected OUs to associate the AWS WAF rules. Deploy automated remediation actions by using AWS Lambda to fix noncompliant resources. Deploy AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied.
  • C. Create AWS WAF rules in the management account of the organization. Use AWS Lambda environment variables to store account numbers and OUs to manage. Update environment variables as needed to add or remove accounts or OUs. Create cross-account IAM roles in member accounts. Assume the roles by using AWS Security Token Service (AWS STS) in the Lambda function to create and update AWS WAF rules in the member accounts.
  • D. Use AWS Control Tower to manage AWS WAF rules across accounts in the organization. Use AWS Key Management Service (AWS KMS) to store account numbers and OUs to manage. Update AWS KMS as needed to add or remove accounts or OUs. Create IAM users in member accounts. Allow AWS Control Tower in the management account to use the access key and secret access key to create and update AWS WAF rules in the member accounts.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
masetromain
Highly Voted 2 years, 2 months ago
Selected Answer: A
The correct answer is A. In this solution, AWS Firewall Manager is used to manage AWS WAF rules across accounts in the organization. An AWS Systems Manager Parameter Store parameter is used to store account numbers and OUs to manage. This parameter can be updated as needed to add or remove accounts or OUs. An Amazon EventBridge rule is used to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account. This solution allows for easy management of AWS WAF rules across multiple accounts with minimal operational overhead.
upvoted 20 times
masetromain
2 years, 2 months ago
Option B does not meet the requirement of being able to add or remove accounts or OUs from managed AWS WAF rule sets as needed. Option C is not the best approach as it requires manual configuration of the cross-account IAM roles and assume-role calls in the Lambda function, increasing the operational overhead. Option D does not meet the requirement of providing a centralized management console to manage the WAF rules across multiple accounts.
upvoted 3 times
Aquaman
6 days, 1 hour ago
B doesn’t allow you to target just accounts. The question is asking for a solution that can target accounts and OUs
upvoted 1 times
...
...
...
Untamables
Highly Voted 2 years, 1 month ago
Selected Answer: A
https://aws.amazon.com/solutions/implementations/automations-for-aws-firewall-manager/
upvoted 6 times
...
d0ug7979
Most Recent 5 months, 4 weeks ago
Selected Answer: B
Correct answer is B. I would have said A like everyone else, but correct answer was provided in Udemy practice exam. Thanks to Organization structure, Config rules apply automatically to newly added accounts (fulfills requirements: least amount of operational overhead (as opposed to A - manually maintaining accounts and OU list). As often, AWS exam answers are partially off-track, a real-life deployment would be a clever combination of both A & B answers, using FW manager, Config and Cloudformation. https://aws.amazon.com/blogs/security/use-aws-firewall-manager-to-deploy-protection-at-scale-in-aws-organizations/
upvoted 2 times
...
amministrazione
6 months, 2 weeks ago
A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.
upvoted 1 times
...
career360guru
1 year, 2 months ago
Selected Answer: A
Option A
upvoted 1 times
...
venvig
1 year, 6 months ago
Selected Answer: A
AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations Firewall Manager supports wide variety of services, including: ● AWS WAF ● VPC Security Groups ● AWS Network Firewall ● Route53 DNS Firewall ● AWS Shield Advanced ● Palo Alto Cloud Next-generation firewalls The Prerequisites are: AWS Organizations + AWS Config.
upvoted 5 times
...
CuteRunRun
1 year, 7 months ago
Selected Answer: A
I have to say A is right. please take a look at this: https://aws.amazon.com/blogs/security/centrally-manage-aws-waf-api-v2-and-aws-managed-rules-at-scale-with-firewall-manager/
upvoted 2 times
...
NikkyDicky
1 year, 8 months ago
Selected Answer: A
A is a good option
upvoted 1 times
...
SkyZeroZx
1 year, 9 months ago
Selected Answer: A
keyword == AWS Firewall Manager
upvoted 3 times
...
tromyunpak
1 year, 9 months ago
the correct answer is A https://docs.aws.amazon.com/solutions/latest/automations-for-aws-firewall-manager/architecture-overview.html
upvoted 2 times
...
rbm2023
1 year, 10 months ago
Selected Answer: A
This is a complex question. But I voted A because the Firewall manager seems to be the correct way to centralize the rules across accounts. Below are some interesting references I could find https://catalog.us-east-1.prod.workshops.aws/workshops/4cbaea3b-ceba-48e3-bd56-eca138f7a66c/en-US https://aws.amazon.com/blogs/security/use-aws-firewall-manager-vpc-security-groups-to-protect-applications-hosted-on-ec2-instances/ https://aws.amazon.com/blogs/security/automatically-updating-aws-waf-rule-in-real-time-using-amazon-eventbridge/
upvoted 3 times
...
mfsec
1 year, 11 months ago
Selected Answer: A
Use AWS Firewall Manager to manage AWS WAF rules
upvoted 2 times
...
God_Is_Love
2 years ago
Selected Answer: A
Not D, KMS to store account numbers ?
upvoted 1 times
...
zozza2023
2 years, 1 month ago
Selected Answer: A
The correct answer is A.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago