Which solution will meet these requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A company uses Application Load Balancers (ALBs) as part of its application architecture.The company has ALBs in AWS accounts that are part of an organization in AWS Organizations.The company has configured AWS Config in all AWS accounts in the organization.The company needs to apply an AWS WAF web ACL with a common set of rules to all ALBs, including any ALBs that are created in the future.Administrators of each AWS account must be able to define their own AWS WAF rules that are in addition to the common rules that the company’s security team provides for all the accounts.

Which solution will meet these requirements?

Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.

Use AWS Resource Access Manager (AWS RAM) from the organization’s management account to enable resource sharing in the organization. Create the web ACL. Configure a resource share of the web ACL for the organization. Associate the shared web ACL with all the ALBs in the organization.

Set up the ALB_WAF_ENABLED AWS Config managed rule with automatic remediation. Configure the rule to create the web ACL and to attach the web ACL to all ALBs in an AWS account. Create an AWS Config conformance pack that contains the rule. Deploy the conformance pack to all AWS accounts in the organization.

Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy that defines the web ACL. Set up the ALB_WAF_ENABLED AWS Config managed rule with automatic remediation. Configure the rule to attach the web ACL to all ALBs in an AWS account. Deploy the rule to all AWS accounts in the organization.

Explanations:

AWS Firewall Manager allows you to manage WAF rules across multiple accounts in an organization. You can configure an AWS WAF policy for the entire organization, applying common rules to all ALBs, while still allowing administrators to define additional rules in their own accounts.

AWS RAM can be used to share resources, but it does not provide a mechanism for managing WAF rules across multiple accounts or ensuring that the web ACL is applied to all ALBs, including those created in the future.

While AWS Config can help monitor ALBs, using the ALB_WAF_ENABLED rule for automatic remediation only ensures that the web ACL is attached to ALBs in an account, but it doesn’t apply a common set of WAF rules across accounts or manage WAF configurations at an organizational level.

Although AWS Firewall Manager and AWS Config can both be used, this solution does not meet the requirement to apply a common set of rules for all ALBs across the organization. The solution combines AWS Config with automatic remediation, which is not necessary when Firewall Manager is already capable of managing WAF rules across accounts.

2025-10-02

1 Comment

  1. Lauren
    Author

    As I understand it, the answer is:
    Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Turn on automatic remediation and define the web ACL. Configure the policy scope to apply to all ALBs in the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 2 =