AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 203

A company has VPCs across 50 AWS accounts and is using AWS Organizations. The company wants to implement web filtering. The requirements for how the traffic must be filtered are the same for all the VPCs. A network engineer plans to use AWS Network Firewall. The network engineer needs to implement a solution that minimizes the number of firewall policies and rule groups that are necessary for this web filtering.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create a firewall policy or rule group in each account.
• B. Use SCPs to share the firewall policy or rule group.
• C. Create a firewall policy or rule group in the management account
• D. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
• E. Enable sharing within Organizations.
• F. Create OUs to share the firewall policy or rule group.

Correct answer: C, D, E

Explanation

The correct steps involve creating a firewall policy or rule group in the management account (C), sharing it using AWS Resource Access Manager (D), and enabling sharing within Organizations (E). This approach minimizes redundancy. Other options either require multiple policies across accounts or do not effectively facilitate sharing, thus complicating management.