Which solution meets these requirements with the LEAST amount of operational overhead?
Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team’s AWS account. Deploy an AWS Lambda function in each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the account. Instruct the security team to distribute changes by publishing messages to its SNS topic.
Create new customer-managed prefix lists in each AWS account within the organization. Populate the prefix lists in each account with all internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups. Instruct the security team to share updates with each AWS account owner.
Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team’s AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.
Explanations:
While this option allows for notifications of changes via SNS and Lambda functions, it requires operational overhead to manage and deploy Lambda functions in each account. Additionally, the Lambda function would need to be manually invoked for each change, which does not scale efficiently with multiple accounts.
Creating customer-managed prefix lists in each account requires manual intervention to populate and maintain the lists. Each account owner must be notified and allowed to incorporate these lists into their security groups, which increases operational overhead and is not centrally managed.
This option utilizes a single customer-managed prefix list in the security team’s account, which is shared across all accounts using AWS Resource Access Manager (RAM). This centralizes management of the allow list, and accounts can reference the shared prefix list in their security groups without needing to manage separate copies, thereby reducing operational overhead.
This solution involves creating an IAM role in each account and deploying a Lambda function that assumes roles across accounts to update security groups. While it automates updates, it requires IAM role management and Lambda deployment in both the security and target accounts, increasing complexity and operational overhead.
Based on what I know, the answer is:
Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.