ANS-C01 · Question #118
ANS-C01 Question #118: Real Exam Question with Answer & Explanation
The correct answer is C: Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list. Explanation Option C is correct because AWS Resource Access Manager (RAM) allows you to create a managed prefix list - a centralized, reusable set of CIDR blocks - and share it across multiple AWS accounts. When a new partner is added, you update the prefix list in one place, and
Question
A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Region only. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an Auto Scaling group behind an Application Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80. When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that is associated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP address ranges. Which solution will meet these requirements in the MOST operationally efficient manner?
Options
- ACreate an Amazon DynamoDB table to maintain all IP address ranges and security groups that
- BCreate a new prefix list. Add all allowed IP address ranges to the prefix list. Use Amazon
- CCreate a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list
- DCreate an Amazon S3 bucket to maintain all IP address ranges and security groups that need to
Explanation
Explanation
Option C is correct because AWS Resource Access Manager (RAM) allows you to create a managed prefix list - a centralized, reusable set of CIDR blocks - and share it across multiple AWS accounts. When a new partner is added, you update the prefix list in one place, and the change automatically propagates to all security groups referencing that prefix list across all accounts, eliminating manual per-account updates.
Why the distractors are wrong:
- Option A (DynamoDB): Using DynamoDB to track IP ranges and security groups requires custom automation (e.g., Lambda) to push changes, adding unnecessary complexity and operational overhead.
- Option B (prefix list without sharing): Creating a prefix list within a single account does not solve the multi-account management problem - other accounts still can't reference the same list.
- Option D (S3 bucket): Similar to DynamoDB, using S3 as a data store requires building custom automation to read and apply changes across accounts, which is operationally inefficient.
Memory Tip: Think "Prefix List + RAM = Centralized Multi-Account IP Management." Whenever you see a question about managing IP ranges across multiple AWS accounts, the combination of a managed prefix list shared via AWS Resource Access Manager (RAM) is almost always the operationally efficient answer - one update, everywhere applied.
Topics
Community Discussion
No community discussion yet for this question.