Which solution meets these requirements with the LEAST amount of operational overhead?
Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.
Deploy an organization-wide AWS Config rule that requires all resources in the selected OUs to associate the AWS WAF rules. Deploy automated remediation actions by using AWS Lambda to fix noncompliant resources. Deploy AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied.
Create AWS WAF rules in the management account of the organization. Use AWS Lambda environment variables to store account numbers and OUs to manage. Update environment variables as needed to add or remove accounts or OUs. Create cross-account IAM roles in member accounts. Assume the roles by using AWS Security Token Service (AWS STS) in the Lambda function to create and update AWS WAF rules in the member accounts.
Use AWS Control Tower to manage AWS WAF rules across accounts in the organization. Use AWS Key Management Service (AWS KMS) to store account numbers and OUs to manage. Update AWS KMS as needed to add or remove accounts or OUs. Create IAM users in member accounts. Allow AWS Control Tower in the management account to use the access key and secret access key to create and update AWS WAF rules in the member accounts.
Explanations:
AWS Firewall Manager is specifically designed to manage AWS WAF rules across multiple accounts in an organization with minimal operational overhead. Using AWS Systems Manager Parameter Store and Amazon EventBridge for updates adds automation, making it efficient for compliance management.
While AWS Config can enforce compliance, it does not directly manage AWS WAF rules across accounts efficiently. The approach adds complexity with CloudFormation stack sets, which require additional operational overhead for deployments.
This solution requires manual management of environment variables and IAM roles for each member account, which increases operational overhead. Using AWS STS to assume roles also complicates management, making it less efficient than using Firewall Manager.
AWS Control Tower does not directly manage AWS WAF rules; it’s more focused on account governance. The use of KMS for managing account numbers and OUs adds unnecessary complexity, and creating IAM users in member accounts for this purpose increases operational overhead.
I arrange that the answer is:
Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.