Which solution meets these requirements with the LEAST amount of operational overhead?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company has an organization that has many AWS accounts in AWS Organizations.A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization.The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to and from the company’s on-premises network.Developers within each account are responsible for adding new IP CIDR ranges to their security groups.The security team has its own AWS account.Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list.The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.

Which solution meets these requirements with the LEAST amount of operational overhead?

Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team’s AWS account. Deploy an AWS Lambda function in each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the account. Instruct the security team to distribute changes by publishing messages to its SNS topic.

Create new customer-managed prefix lists in each AWS account within the organization. Populate the prefix lists in each account with all internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups. Instruct the security team to share updates with each AWS account owner.

Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.

Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team’s AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.

Explanations:

While using Amazon SNS and AWS Lambda for distributing IP changes is feasible, it introduces significant operational overhead because each account requires a separate Lambda function. Additionally, managing the execution of these functions across multiple accounts adds complexity and requires ongoing monitoring and maintenance.

Creating customer-managed prefix lists in each AWS account may help in managing the CIDR ranges, but it still requires manual notification and action from account owners to update security groups. This approach does not automate the process, leading to potential inconsistencies and delays in updating security groups across accounts.

By creating a customer-managed prefix list in the security team’s account and sharing it with the organization, this option centralizes the management of CIDR ranges. Each account can reference this shared prefix list in their security groups, which minimizes operational overhead and ensures consistency. The requirement to notify account owners is reduced, as they can easily reference the shared resource.

Although this option allows the security team to programmatically update security groups across all accounts, it requires the setup of IAM roles and trust relationships in each account, which increases complexity. Moreover, managing permissions and ensuring proper execution across accounts can lead to operational challenges and overhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 1 =