SAP-C02 第 110 题
题目
A company wants to deploy an AWS WAF solution to manage AWS WAF rules across multiple AWS accounts. The accounts are managed under different OUs in AWS Organizations. Administrators must be able to add or remove accounts or OUs from managed AWS WAF rule sets as needed. Administrators also must have the ability to automatically update and remediate noncompliant AWS WAF rules in all accounts. Which solution meets these requirements with the LEAST amount of operational overhead?
中文翻译:
一家公司想要部署 AWS WAF 解决方案来管理跨多个 AWS 账户的 AWS WAF 规则。这些账户在 AWS Organizations 中的不同 OU 下进行管理。管理员必须能够根据需要在托管 AWS WAF 规则集中添加或删除账户或 OU。管理员还必须能够自动更新和修复所有账户中不合规的 AWS WAF 规则。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organization. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage. Update the parameter as needed to add or remove accounts or OUs. Use an Amazon EventBridge rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account.
中文翻译:
使用 AWS Firewall Manager 跨组织中的账户管理 AWS WAF 规则。使用 AWS Systems Manager Parameter Store 参数来存储要管理的帐号和 OU。根据需要更新参数以添加或删除帐户或 OU。使用 Amazon EventBridge 规则来识别对参数的任何更改,并调用 AWS Lambda 函数来更新 Firewall Manager 管理账户中的安全策略。
B. Deploy an organization-wide AWS Config rule that requires all resources in the selected OUs to associate the AWS WAF rules. Deploy automated remediation actions by using AWS Lambda to fix noncompliant resources. Deploy AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied.
中文翻译:
部署组织范围内的 AWS Config 规则,该规则要求所选 OU 中的所有资源关联 AWS WAF 规则。使用 AWS Lambda 部署自动修复操作来修复不合规资源。使用 AWS CloudFormation 堆栈集部署 AWS WAF 规则,以定位应用 AWS Config 规则的相同 OU。
C. Create AWS WAF rules in the management account of the organization. Use AWS Lambda environment variables to store account numbers and OUs to manage. Update environment variables as needed to add or remove accounts or OUs. Create cross-account IAM roles in member accounts. Assume the roles by using AWS Security Token Service (AWS STS) in the Lambda function to create and update AWS WAF rules in the member accounts.
中文翻译:
在组织的管理账户中创建 AWS WAF 规则。使用 AWS Lambda 环境变量来存储要管理的帐号和 OU。根据需要更新环境变量以添加或删除帐户或 OU。在成员账户中创建跨账户 IAM 角色。通过在 Lambda 函数中使用 AWS Security Token Service (AWS STS) 来承担角色,以在成员账户中创建和更新 AWS WAF 规则。
D. Use AWS Control Tower to manage AWS WAF rules across accounts in the organization. Use AWS Key Management Service (AWS KMS) to store account numbers and OUs to manage. Update AWS KMS as needed to add or remove accounts or OUs. Create IAM users in member accounts. Allow AWS Control Tower in the management account to use the access key and secret access key to create and update AWS WAF rules in the member accounts.
中文翻译:
使用 AWS Control Tower 跨组织中的账户管理 AWS WAF 规则。使用 AWS Key Management Service (AWS KMS) 存储要管理的帐号和 OU。根据需要更新 AWS KMS 以添加或删除账户或 OU。在成员账户中创建 IAM 用户。允许管理账户中的 AWS Control Tower 使用访问密钥和秘密访问密钥在成员账户中创建和更新 AWS WAF 规则。
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. 使用 AWS Firewall Manager 跨组织中的账户管理 AWS WAF 规则。使用 AWS Systems Manager Parameter Store 参数来存储要管理的帐号和 OU。根据需要更新参数以添加或删除帐户或 OU。使用 Amazon EventBridge 规则来识别对参数的任何更改,并调用 AWS Lambda 函数来更新 Firewall Mana...