Examice

Exam SAA-C03 All QuestionsBrowse all questions from this exam

Question 657

A company has multiple AWS accounts in an organization in AWS Organizations that different business units use. The company has multiple offices around the world. The company needs to update security group rules to allow new office CIDR ranges or to remove old CIDR ranges across the organization. The company wants to centralize the management of security group rules to minimize the administrative overhead that updating CIDR ranges requires.

Which solution will meet these requirements MOST cost-effectively?

Create VPC security groups in the organization's management account. Update the security groups when a CIDR range update is necessary.

Create a VPC customer managed prefix list that contains the list of CIDRs. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Use the prefix list in the security groups across the organization.

Create an AWS managed prefix list. Use an AWS Security Hub policy to enforce the security group update across the organization. Use an AWS Lambda function to update the prefix list automatically when the CIDR ranges change.

Create security groups in a central administrative AWS account. Create an AWS Firewall Manager common security group policy for the whole organization. Select the previously created security groups as primary groups in the policy.

Correct Answer: B

Creating a VPC customer-managed prefix list that contains the list of CIDRs and using AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization is the most cost-effective solution. This approach simplifies the management of security group rules by allowing updates to the prefix list instead of individually updating each security group. This centralization minimizes administrative overhead by utilizing a single point of update for all office CIDR ranges, ensuring all security groups referencing the prefix list are automatically updated when changes occur.

Discussion

TariqKipkemeiOption: B

A managed prefix list is a set of one or more CIDR blocks. You can use prefix lists to make it easier to configure and maintain your security groups and route tables. You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually. If you scale your network and need to allow traffic from another CIDR block, you can update the relevant prefix list and all security groups that use the prefix list are updated. You can also use managed prefix lists with other AWS accounts using Resource Access Manager (RAM). https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html#:~:text=A-,managed%20prefix,-list%20is%20a

awsgeek75

Such a badly worded question: "The company has multiple offices around the world. The company needs to update security group rules to allow new office CIDR ranges or to remove old CIDR ranges across the organization." Are the CIDR groups associated to offices? That will be illogical. I think it should be VPC and not offices.

achechenOption: B

looks like B is the answer. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

Gape4Option: B

I will go for B

KennethNg923Option: B

prefix list for CIDR blocks

avdxeqtrOption: B

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

ale_brd_Option: B

Answer is B