AWS Certified Solutions Architect – Associate (SAA-C03) — Question 623

A company has multiple AWS accounts in an organization in AWS Organizations that different business units use. The company has multiple offices around the world. The company needs to update security group rules to allow new office CIDR ranges or to remove old CIDR ranges across the organization. The company wants to centralize the management of security group rules to minimize the administrative overhead that updating CIDR ranges requires.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Create VPC security groups in the organization's management account. Update the security groups when a CIDR range update is necessary.
• B. Create a VPC customer managed prefix list that contains the list of CIDRs. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Use the prefix list in the security groups across the organization.
• C. Create an AWS managed prefix list. Use an AWS Security Hub policy to enforce the security group update across the organization. Use an AWS Lambda function to update the prefix list automatically when the CIDR ranges change.
• D. Create security groups in a central administrative AWS account. Create an AWS Firewall Manager common security group policy for the whole organization. Select the previously created security groups as primary groups in the policy.

Correct answer: B

Explanation

Using a VPC customer managed prefix list shared via AWS Resource Access Manager (AWS RAM) is the most cost-effective and efficient solution because AWS RAM is free to use and allows centralized management of CIDR ranges. When the prefix list is updated, the changes automatically propagate to all referenced security groups across the organization. AWS Firewall Manager (Option D) is not the most cost-effective solution as it incurs additional monthly policy fees, and AWS managed prefix lists (Option C) cannot be modified by customers.