Q85 — AWS DOP-C02 Ch.1

Question 85 of 100 | ← Chapter 1

A company uses an Application Load Balancer (ALB) as part of its application architecture. The company owns the ALB in an AWS account that belongs to an organization within AWS Organizations. The company has configured AWS Config in all AWS accounts within the organization. The company needs to apply an AWS WAF Web ACL with a set of common rules to the ALB—including any ALBs created in the future—and allow administrators of each AWS account to define their own AWS WAF rules that supplement the common rules provided by the company’s security team. Which solution meets these requirements?

Correct Answer: A. Configure AWS Firewall Manager for the organization. In the Firewall Manager administrator account, create an AWS WAF policy. Enable auto-remediation and define the Web ACL. Configure the policy scope to apply to all ALBs in the organization.

Explanation

AWS Firewall Manager enables centralized management of AWS WAF rules across multiple accounts and resources in an AWS Organization. It supports hierarchical rule composition—where a common Web ACL defined centrally can be augmented by account-specific rules—via policy inheritance and override mechanisms. Option A correctly implements this by configuring Firewall Manager with auto-remediation and scoping the policy to all ALBs in the organization, satisfying both centralized governance and per-account customization. Option B misuses AWS RAM, which shares resources—not WAF configurations—and cannot enforce or compose WAF rules. Option C incorrectly relies solely on AWS Config, which detects and remediates misconfigurations but cannot orchestrate multi-account WAF rule composition or inheritance. Option D conflates Firewall Manager and Config, introducing redundancy and failing to leverage Firewall Manager’s native cross-account rule layering capability.