Which solution meets these requirements with the LEAST amount of operational overhead?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company has an organization in AWS Organizations that has a large number of AWS accounts.One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts.AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account.The company has AWS Config enabled on all of its accounts.The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices.Developers will reference this list to gain access to their applications securely.

Which solution meets these requirements with the LEAST amount of operational overhead?

Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.

Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.

In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.

In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.

Explanations:

This option would involve more operational overhead as it requires setting up SNS topics and Lambda functions in each account. Additionally, updating security group rules in all accounts via Lambda functions would be complex to manage and scale.

AWS Config rules are generally used for compliance checks, not for centrally managing a list of IP addresses. This solution would not directly allow developers to securely reference a centralized list of IP address ranges in security group rules.

Creating a VPC prefix list in the transit account and sharing it with other accounts via AWS Resource Access Manager allows centralized management of IP address ranges. This solution has minimal operational overhead and can be easily referenced in security group rules across accounts.

Nested security group references do not support cross-account configurations directly. This option would not meet the requirements, as security groups cannot reference other accounts’ security groups in this manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − eleven =