Learn the steps to set up web filtering using AWS Network Firewall for VPCs across 50 AWS accounts in an Organization. Minimize firewall policies and rule groups needed by sharing resources with AWS RAM and enabling sharing within the Organization.
Table of Contents
Question
A company has VPCs across 50 AWS accounts and is using AWS Organizations. The company wants to implement web filtering. The requirements for how the traffic must be filtered are the same for all the VPCs. A network engineer plans to use AWS Network Firewall. The network engineer needs to implement a solution that minimizes the number of firewall policies and rule groups that are necessary for this web filtering.
Which combination of steps will meet these requirements? (Choose three.)
A. Create a firewall policy or rule group in each account.
B. Use SCPs to share the firewall policy or rule group.
C. Create a firewall policy or rule group in the management account
D. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
E. Enable sharing within Organizations.
F. Create OUs to share the firewall policy or rule group.
Answer
C. Create a firewall policy or rule group in the management account
D. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
E. Enable sharing within Organizations.
Explanation
To implement web filtering using AWS Network Firewall across 50 VPCs in different AWS accounts that are part of an AWS Organization, while minimizing the number of firewall policies and rule groups needed, follow these steps:
1. Create a firewall policy or rule group in the management account (Option C).
By defining the filtering rules centrally in the management/master account, you avoid having to duplicate them in each individual account.
2. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group (Option D).
AWS RAM allows you to share resources like firewall policies across accounts within your Organization. This enables the spoke accounts to use the centrally managed rules.
3. Enable sharing within Organizations (Option E).
To use RAM to share resources between accounts, you first need to enable sharing within your AWS Organization from the management account.
The other options are not optimal for minimizing duplication of firewall rules:
- Creating separate policies/rule groups in each account (A) would lead to a lot of duplication.
- SCPs (B) are for controlling permissions, not sharing resources.
- Creating OUs (F) alone does not share the firewall policy. You need to use RAM.
So in summary, define the Network Firewall filtering rules once centrally in the management account, use AWS RAM to share them with the spoke accounts, and enable resource sharing in AWS Organizations. This will allow you to efficiently implement consistent web filtering across all accounts and VPCs while minimizing administrative overhead.
Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification.