A company has multiple AWS accounts in AWS Organizations across global offices. The company must update security group rules to add new office CIDR ranges or remove old CIDR ranges across the organization, while minimizing administrative overhead. Which solution is the MOST cost-effective for centralized management of those CIDR ranges?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a VPC customer managed prefix list that contains the CIDR ranges. Use AWS Resource Access Manager (AWS RAM) to share the prefix list across the organization. Reference the prefix list in security groups across the organization..
Why this is the answer
The most cost-effective and efficient solution is to use a customer-managed prefix list shared via AWS Resource Access Manager (RAM). A prefix list allows you to group multiple CIDR blocks into a single object. When the CIDR ranges change, you only update the prefix list, and all security groups referencing it automatically reflect the changes. Sharing it with RAM makes it available across all accounts in the organization, centralizing management and minimizing administrative overhead. Creating VPC security groups in the management account would require manual updates in each security group, which is inefficient. AWS managed prefix lists are pre-defined by AWS and cannot be customized for specific office CIDR ranges. AWS Firewall Manager is powerful but often overkill and more complex for just managing CIDR ranges in security groups, and it would still require a mechanism to update the underlying security groups or prefix lists.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed