Which solution should the security engineer recommend?
Use AWS Resource Access Manager to create shared resources for each required security group and apply an IAM policy that permits read-only access to the security groups only.
Create an AWS CloudFormation template that creates the required security groups. Execute the template as part of configuring new accounts. Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur.
Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation.
Use AWS Control Tower to edit the account factory template to enable the share security groups option. Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users.
Explanations:
AWS Resource Access Manager (RAM) is designed to share AWS resources across accounts but does not provide the necessary controls to enforce security group usage or prevent unauthorized modifications at the account level. It does not address the requirement for consistency and delegation of modification authority.
While using an AWS CloudFormation template can ensure that security groups are created consistently, it does not prevent unauthorized changes once the groups are established. Also, executing the template only at account creation does not address ongoing compliance or changes made after the groups are created. Notifications do not provide a proactive solution.
AWS Firewall Manager allows for the creation of security group policies that can be applied across multiple accounts in an AWS Organization. It can automatically identify and revert unauthorized changes to security groups, ensuring consistency and compliance with security policies, thereby addressing both the inconsistency and unauthorized change issues.
AWS Control Tower helps govern accounts and enforce policies, but merely editing the account factory template does not enforce compliance with existing security group configurations. Additionally, Service Control Policies (SCPs) can limit actions but may not effectively manage or enforce consistent use of security groups across multiple accounts without additional configurations.