Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 98 discussion

C. Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups. This solution meets the requirements with the least amount of operational overhead as it requires the security team to create and maintain a single customer-managed prefix list, and share it with the organization using AWS Resource Access Manager. The owners of each AWS account are then responsible for allowing the prefix list in their security groups, which eliminates the need for the security team to manually notify each account owner when changes are made. This solution also eliminates the need for a separate AWS Lambda function in each account, reducing the overall complexity of the solution.

masetromain is ChatGPT and might have outdated answers since it doesnt know aws latest update to services

Human cost is major overhead. I will go A. This is one time setup.

Centralised management and standard use case for prefix lists and RAM

Option C

C - basic RAM use case

Typical use case for RAM. It is the typical question that leads you to the solution without even finishing reading the question.

KEYWORD = AWS Resource Access Manager Then C

operational overhead

Prefix lists + RAM

Prefix lists + Resource Access Manager RAM is the solution.

Clearly

Create a new customer-managed prefix list in the security team’s AWS account

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

C is correct. The prefix list is managed by security team and shared with other accounts. Other accounts can directly use it.

The correct answer is D. Option D creates an IAM role in each account in the organization which grants permissions to update security groups. Then, it deploys an AWS Lambda function in the security team’s AWS account, this lambda function is able to assume the IAM roles in each account and update the security groups with the new IP CIDR ranges. This solution allows the security team to easily distribute and update the common set of IP CIDR ranges across all accounts with minimal operational overhead. Option A, uses an SNS topic, where the security team would need to notify all account owners every time an update is made to the allow list and would require the developers in each account to run a Lambda function which updates the security group. This solution would require a lot of manual work, and is not automated.