Which approach meets these requirements with the LEAST amount of setup?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company uses AWS Organizations.The company has an organization that has a central management account.The company plans to provision multiple AWS accounts for different departments.All department accounts must be a member of the company’s organization.Compliance requirements state that each account must have only one VPC.Additionally, each VPC must have an identical network security configuration that includes fully configured subnets, gateways, network ACLs, and security groups.The company wants this security setup to be automatically applied when a new department account is created.The company wants to use the central management account for all security operations, but the central management account should not have the security setup.

Which approach meets these requirements with the LEAST amount of setup?

Create an OU within the company’s organization. Add department accounts to the OU. From the central management account, create an AWS CloudFormation template that includes the VPC and the network security configurations. Create a CloudFormation stack set by using this template file with automated deployment enabled. Apply the CloudFormation stack set to the OU.

Create a new organization with the central management account. Invite all AWS department accounts into the new organization. From the central management account, create an AWS CloudFormation template that includes the VPC and the network security configurations. Create a CloudFormation stack that is based on this template. Apply the CloudFormation stack to the newly created organization.

Invite department accounts to the company’s organization. From the central management account, create an AWS CloudFormation template that includes the VPC and the network security configurations. Create an AWS CodePipeline pipeline that will deploy the network security setup to the newly created account. Specify the creation of an account as an event hook. Apply the event hook to the pipeline.

Invite department accounts to the company’s organization. From the central management account, create an AWS CloudFormation template that includes the VPC and the network security configurations. Create an AWS Lambda function that will deploy the VPC and the network security setup to the newly created account. Create an event that watches for account creation. Configure the event to invoke the pipeline.

Explanations:

This option allows the organization to maintain a centralized management strategy using AWS CloudFormation StackSets, which can automatically deploy resources across multiple accounts in an OU. By applying the template with automated deployment, all department accounts will have identical VPC and network security configurations upon creation, meeting compliance requirements with minimal manual intervention.

Creating a new organization for department accounts complicates the structure unnecessarily. The requirement states that department accounts must remain in the existing organization, and this option does not provide a mechanism for automated deployment of network security configurations upon account creation.

While using AWS CodePipeline to deploy the network security setup is a viable approach, this option does not inherently listen for account creation events and lacks the direct automated provisioning of the required network configurations upon the creation of new accounts. It adds complexity without ensuring compliance from the start.

Although using an AWS Lambda function to deploy configurations on account creation is a valid strategy, it introduces unnecessary complexity with event handling and requires additional management overhead. This option does not leverage CloudFormation StackSets, which would be a more straightforward solution for maintaining uniformity across accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × two =