Q85 — AWS DOP-C02 Ch.1
Question 85 of 100 | ← Chapter 1
A company uses an Application Load Balancer (ALB) as part of its application architecture. The company owns the ALB in an AWS account that belongs to an organization within AWS Organizations. The company has configured AWS Config in all AWS accounts within the organization. The company needs to apply an AWS WAF Web ACL with a set of common rules to the ALB—including any ALBs created in the future—and allow administrators of each AWS account to define their own AWS WAF rules that supplement the common rules provided by the company’s security team. Which solution meets these requirements?
- A. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Enable auto-remediation and define the Web ACL. Configure the policy scope to apply to all ALBs in the organization. ✓
- B. Use AWS Resource Access Manager (AWS RAM) from the organization’s management account to enable resource sharing across the organization. Create a Web ACL. Configure Web ACL resource sharing for the organization. Associate the shared Web ACL with all ALBs in the organization.
- C. Set up the ALB_WAF_ENABLED AWS Config managed rule with auto-remediation enabled. Configure the rule to create a Web ACL and attach it to all ALBs in the AWS account. Create a compliance pack containing this rule. Deploy the compliance pack to all AWS accounts in the organization.
- D. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy defining the Web ACL. Set up the ALB_WAF_ENABLED AWS Config managed rule with auto-remediation enabled. Configure the rule to attach the Web ACL to all ALBs in the AWS account. Deploy the rule to all AWS accounts in the organization.
Correct Answer: A. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Enable auto-remediation and define the Web ACL. Configure the policy scope to apply to all ALBs in the organization.
Explanation
AWS Firewall Manager enables centralized management of AWS WAF rules across multiple accounts and resources in an AWS Organization. It supports hierarchical rule composition—where a common Web ACL defined centrally can be augmented by account-specific rules—via policy inheritance and override mechanisms. Option A correctly implements this by configuring Firewall Manager with auto-remediation and scoping the policy to all ALBs in the organization, satisfying both centralized governance and per-account customization. Option B misuses AWS RAM, which shares resources—not WAF configurations—and cannot enforce or compose WAF rules. Option C incorrectly relies solely on AWS Config, which detects and remediates misconfigurations but cannot orchestrate multi-account WAF rule composition or inheritance. Option D conflates Firewall Manager and Config, introducing redundancy and failing to leverage Firewall Manager’s native cross-account rule layering capability.