AWS WAF Management Across Multiple Accounts | Best Method for AWS System Administrators

Manage WAF Rules in AWS Organizations | Suitable Method for System Administrators

Question

As an AWS system administrator, you manage an AWS Organizations where there are dozens of AWS accounts.

From time to time, you need to create the same WAF web ACLs in all the accounts. For example, a web ACL should be created to block some suspicious IPs.

You would like to manage WAF rules across multiple accounts and resources in the Organization. Which method is the most suitable one for you to select?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because AWS Firewall Manager can help manage WAF web ACLs for accounts within an AWS Organizations.

Option B is incorrect because you cannot manage AWS WAF in AWS Organizations containing several AWS accounts.

Option C is incorrect because AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources, but it cannot be used to manage cross-account web ACLs.

Option D is incorrect because users need to configure AWS Firewall Manager rule groups and policies first within an Organization to create cross-account WAF rules.

AWS Firewall Manager is a tool to manage multiple accounts and resources for AWS WAF rules, AWS Shield Advanced protection, and Amazon VPC security groups.

Details can be found in.

Reference:

https://docs.aws.amazon.com/waf/latest/developerguide/create-policy.html#creating-firewall-manager-policy-for-waf

The most suitable method for managing WAF web ACLs across multiple accounts and resources in an AWS Organization is to use AWS Firewall Manager.

Option A is the correct answer. With AWS Firewall Manager, you can centrally manage and deploy AWS WAF rules across multiple AWS accounts and resources within an AWS Organization. This helps to ensure consistent protection against common web-based attacks, such as SQL injection and cross-site scripting (XSS), without the need to configure and manage the rules in each individual account.

To use AWS Firewall Manager, you need to create a WAF policy that defines the rules and settings for your web ACLs. Once the policy is created, you can apply it to each applicable account within the AWS Organization to create a web ACL. The web ACL can then be associated with the resources that you want to protect, such as Amazon CloudFront distributions, Application Load Balancers, or Amazon API Gateway APIs.

Option B is incorrect because AWS Organizations does not provide a built-in way to manage AWS WAF conditions, rules, and ACLs. While it is possible to use AWS Organizations to manage the accounts within your organization, you still need to use a separate service, such as AWS Firewall Manager, to manage your WAF rules.

Option C is also incorrect because AWS Config is not designed to manage cross-account web ACLs. AWS Config is a service that enables you to assess, audit, and evaluate the configuration of your AWS resources for compliance and security purposes. While it can be used to monitor changes to your WAF configuration, it does not provide a way to manage cross-account web ACLs.

Option D is also incorrect because there is no need to designate a specific AWS account as the WAF administrator. AWS Firewall Manager provides a centralized way to manage your WAF rules across multiple accounts within an AWS Organization, without the need to designate a specific account for this purpose.