Exam AWS Certified Security - Specialty topic 1 question 209 discussion

100% C.. https://www.youtube.com/watch?v=w-zbsmpi7vw&t=583s

A. AWS RAM is about sharing resources between organizations and within the OUs. B. CloudFormation is about creating, not managing change. C. GOTTCHA, not this AWS FM is about VPC EC2 security groups, NOT IAM groupings that relate to security. D. Control Tower is about, well " AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. AWS Control Tower creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing that your accounts conform to company-wide policies. " and the winer is https://aws.amazon.com/controltower/?control-blogs.sort-by=item.additionalFields.createdDate&control-blogs.sort-order=desc -D-

C is correct answer. FM can used to configure baseline SG rules, detect drifts, has options to allow/disallow local accounts from edditing or adding additional SG's, and auto remediation to SG's. Thank you, Ayusef! Good reference video there.

Answer is C. https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html --- You can use Firewall Manager security group policies to do the following across your AWS organization: Apply common security groups to specified accounts and resources. Audit security group rules, to locate and remediate noncompliant rules. <<<<<<<< Audit usage of security groups, to clean up unused and redundant security groups. ---

https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html

I am convinced it's C because of the link posted by nairj and balki https://aws.amazon.com/blogs/security/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager/. I think D would work. Two points to consider in favor of D: 1) Question say "...Unauthorized changes in the individual accounts in the future" (note: "in the FUTURE". "c" shows "revert local changes""...I think I've been too picky. 2) I thought Firewall Manager implies to have a firewall (managed or not)....doesn't it?

The security engineer should recommend using AWS Firewall Manager to create a security group policy that defines the required security group rules for all accounts within the organization. This ensures consistent implementation of security groups. By enabling the policy feature and automatic remediation in AWS Firewall Manager, unauthorized changes to security groups can be detected and automatically reverted to enforce the defined policy. This solution addresses the issues of inconsistency in security group implementation and unauthorized changes, providing centralized management and control over security groups while delegating modification authority to the security team only.

Just used on a customer: with CT and Account Factory deployed a stack and with SCP block any editing on that. You can edit only if you are assuming specific ROLE.

The security engineer should recommend option D: Use AWS Control Tower to edit the account factory template to enable the share security groups option. Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users.

It's actually C, if you reached my comment and still unsatisfied from the other comments here, just go check it in console.

AWS Firewall Manager- Allows you to enforce policies across your entire organization to govern changes to your security groups.

C : See "Manage security groups with Firewall Manager" https://aws.amazon.com/blogs/security/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager/

obviously D. firewall manager has nothing to do with any of this.

C is the best answer. Using AWS Firewall Manager to create a security group policy and enable the policy feature to identify and revert local changes, as well as enable automatic remediation, would help improve consistency and prevent unauthorized changes in the individual accounts in the future. This would ensure that all accounts are using the same security groups and that any unauthorized changes are automatically reverted, ensuring compliance with the security policy.

FM can create common security group policies. However, the question specifically mentions security groups and the need to prevent unauthorized changes to them. AWS Firewall Manager does not have the ability to identify and revert local changes to security groups, or to enable automatic remediation for them. It is designed to create common security group policies for VPCs and network access control lists (ACLs), not for individual security groups. Therefore, option C is not a valid solution for this scenario.

while AWS FM is dedicated tool to managed SG and configure any other security features it does totally nothing IAM. So AWS Control Tower can be useful there - D

The correct answer is D. Use AWS Control Tower to edit the account factory template to enable the share security groups option. Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users. With this solution, the security engineer can use AWS Control Tower to enable the option to share security groups among the accounts in the organization. This will ensure that all accounts use the standard security groups consistently. Additionally, the security engineer can apply an SCP (service control policy) to the OU (organizational unit) or individual accounts that prohibits local account users from making modifications to the security groups. This will prevent unauthorized changes to the security groups in the future.