SAP-C02 第 53 题
题目
A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account. The company has AWS Config enabled on all of its accounts. The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices. Developers will reference this list to gain access to their applications securely. Which solution meets these requirements with the LEAST amount of operational overhead?
中文翻译:
一家公司在 AWS Organizations 中拥有一个拥有大量 AWS 账户的组织。其中一个 AWS 账户被指定为中转账户,并具有与所有其他 AWS 账户共享的中转网关。 AWS Site-to-Site VPN 连接是在公司的所有全球办事处和中转账户之间配置的。该公司在其所有账户上启用了 AWS Config。公司的网络团队需要集中管理属于全球办事处的内部 IP 地址范围列表。开发人员将参考此列表来安全地访问其应用程序。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.
中文翻译:
创建一个托管在 Amazon S3 中并列出所有内部 IP 地址范围的 JSON 文件。在更新 JSON 文件时可以调用的每个账户中配置 Amazon Simple Notification Service (Amazon SNS) 主题。将 AWS Lambda 函数订阅到 SNS 主题,以使用更新的 IP 地址范围更新所有相关的安全组规则。
B. Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.
中文翻译:
创建包含所有内部 IP 地址范围的新 AWS Config 托管规则。使用该规则检查每个帐户中的安全组,以确保符合 IP 地址范围列表。配置规则以自动修复检测到的任何不合规安全组。
C. In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
中文翻译:
在中转账户中,创建包含所有内部 IP 地址范围的 VPC 前缀列表。使用 AWS Resource Access Manager 与所有其他账户共享前缀列表。使用共享前缀列表在其他账户中配置安全组规则。
D. In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “ /sg-1a2b3c4d”.
中文翻译:
在中转账户中,创建一个包含所有内部 IP 地址范围的安全组。配置其他账户中的安全组,以使用嵌套安全组引用“/sg-1a2b3c4d”来引用中转账户的安全组。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 在中转账户中,创建包含所有内部 IP 地址范围的 VPC 前缀列表。使用 AWS Resource Access Manager 与所有其他账户共享前缀列表。使用共享前缀列表在其他账户中配置安全组规则。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/R...