AWS Certified DevOps Engineer – Professional — Question 182
A company uses Application Load Balancers (ALBs) as part of its application architecture. The company has ALBs in AWS accounts that are part of an organization in AWS Organizations. The company has configured AWS Config in all AWS accounts in the organization.
The company needs to apply an AWS WAF web ACL with a common set of rules to all ALBs, including any ALBs that are created in the future. Administrators of each AWS account must be able to define their own AWS WAF rules that are in addition to the common rules that the company’s security team provides for all the accounts.
Which solution will meet these requirements?
Answer options
- A. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.
- B. Use AWS Resource Access Manager (AWS RAM) from the organization's management account to enable resource sharing in the organization. Create the web ACL. Configure a resource share of the web ACL for the organization. Associate the shared web ACL with all the ALBs in the organization.
- C. Set up the ALB_WAF_ENABLED AWS Config managed rule with automatic remediation. Configure the rule to create the web ACL and to attach the web ACL to all ALBs in an AWS account. Create an AWS Config conformance pack that contains the rule. Deploy the conformance pack to all AWS accounts in the organization.
- D. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy that defines the web ACL. Set up the ALB_WAF_ENABLED AWS Config managed rule with automatic remediation. Configure the rule to attach the web ACL to all ALBs in an AWS account. Deploy the rule to all AWS accounts in the organization.
Correct answer: A
Explanation
The correct answer is A because AWS Firewall Manager is specifically designed to manage AWS WAF policies across multiple accounts in an organization, allowing for the application of a common web ACL while enabling individual account administrators to add their own rules. Option B does not ensure automatic application of the web ACL to future ALBs, while options C and D do not provide a centralized management approach through Firewall Manager, which is essential for the requirements stated.