Which solution will meet these requirements MOST cost-effectively?
Create VPC security groups in the organization’s management account. Update the security groups when a CIDR range update is necessary.
Create a VPC customer managed prefix list that contains the list of CIDRs. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Use the prefix list in the security groups across the organization.
Create an AWS managed prefix list. Use an AWS Security Hub policy to enforce the security group update across the organization. Use an AWS Lambda function to update the prefix list automatically when the CIDR ranges change.
Create security groups in a central administrative AWS account. Create an AWS Firewall Manager common security group policy for the whole organization. Select the previously created security groups as primary groups in the policy.
Explanations:
Creating security groups in the management account and manually updating them for CIDR range changes is not scalable or efficient. This would increase administrative overhead as the organization grows.
Using a VPC customer managed prefix list and sharing it via AWS RAM is the most cost-effective and scalable approach. It allows centralized management of CIDR ranges, which can be used in security groups across all accounts in the organization.
AWS managed prefix lists are primarily for AWS-managed service IP ranges, and enforcing security group updates through Security Hub and Lambda adds unnecessary complexity and costs.
While Firewall Manager can enforce security group rules across an organization, it doesn’t directly address centralized management of CIDR ranges in a cost-effective way. Creating security groups in a central account is not the most efficient approach.