SAP-C02 第 98 题
题目
A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization. The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to and from the company’s on-premises network. Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list. The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts. Which solution meets these requirements with the LEAST amount of operational overhead?
中文翻译:
一家公司的组织在 AWS Organizations 中拥有许多 AWS 账户。解决方案架构师必须改进公司管理组织中 AWS 账户的通用安全组规则的方式。该公司在每个 AWS 账户的允许列表中都有一组通用的 IP CIDR 范围,以允许访问和来自公司的本地网络。每个帐户内的开发人员负责向其安全组添加新的 IP CIDR 范围。安全团队拥有自己的 AWS 账户。目前,当允许列表发生更改时,安全团队会通知其他 AWS 账户的所有者。解决方案架构师必须设计一个解决方案,在所有帐户之间分配一组通用的 CIDR 范围。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team's AWS account. Deploy an AWS Lambda function in each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the account. Instruct the security team to distribute changes by publishing messages to its SNS topic.
中文翻译:
在安全团队的 AWS 账户中设置 Amazon Simple Notification Service (Amazon SNS) 主题。在每个 AWS 账户中部署 AWS Lambda 函数。将 Lambda 函数配置为在每次 SNS 主题收到消息时运行。配置 Lambda 函数以将 IP 地址作为输入并将其添加到账户中的安全组列表中。指示安全团队通过将消息发布到其 SNS 主题来分发更改。
B. Create new customer-managed prefix lists in each AWS account within the organization. Populate the prefix lists in each account with all internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups. Instruct the security team to share updates with each AWS account owner.
中文翻译:
在组织内的每个 AWS 账户中创建新的客户管理的前缀列表。使用所有内部 CIDR 范围填充每个账户中的前缀列表。通知每个 AWS 账户的所有者在其安全组中的账户中允许新的客户管理的前缀列表 ID。指示安全团队与每个 AWS 账户所有者共享更新。
C. Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
中文翻译:
在安全团队的 AWS 账户中创建新的客户管理的前缀列表。使用所有内部 CIDR 范围填充客户管理的前缀列表。使用 AWS Resource Access Manager 与组织共享客户管理的前缀列表。通知每个 AWS 账户的所有者在其安全组中允许新的客户管理的前缀列表 ID。
D. Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team’s AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.
中文翻译:
在组织中的每个账户中创建 IAM 角色。授予更新安全组的权限。在安全团队的 AWS 账户中部署 AWS Lambda 函数。配置 Lambda 函数以将内部 IP 地址列表作为输入,在每个组织账户中承担角色,并将 IP 地址列表添加到每个账户中的安全组。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 在安全团队的 AWS 账户中创建新的客户管理的前缀列表。使用所有内部 CIDR 范围填充客户管理的前缀列表。使用 AWS Resource Access Manager 与组织共享客户管理的前缀列表。通知每个 AWS 账户的所有者在其安全组中允许新的客户管理的前缀列表 ID。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,...