nerdexam
ExamsANS-C01Questions#239
AmazonAmazon

ANS-C01 · Question #239

ANS-C01 Question #239: Real Exam Question with Answer & Explanation

The correct answer is C: Create a firewall policy or rule group in the management account. Explanation Creating a single firewall policy or rule group in the management account (C) is the most efficient approach since all VPCs share identical filtering requirements - this eliminates the need to duplicate policies across 50 accounts. AWS RAM (D) is the correct service f

Submitted by noor.lb· Mar 6, 2026Network Security

Question

A company has VPCs across 50 AWS accounts and is using AWS Organizations. The company wants to implement web filtering. The requirements for how the traffic must be filtered are the same for all the VPCs. A network engineer plans to use AWS Network Firewall. The network engineer needs to implement a solution that minimizes the number of firewall policies and rule groups that are necessary for this web filtering. Which combination of steps will meet these requirements? (Choose three.)

Options

  • ACreate a firewall policy or rule group in each account.
  • BUse SCPs to share the firewall policy or rule group.
  • CCreate a firewall policy or rule group in the management account
  • DUse AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
  • EEnable sharing within Organizations.
  • FCreate OUs to share the firewall policy or rule group.

Explanation

Explanation

Creating a single firewall policy or rule group in the management account (C) is the most efficient approach since all VPCs share identical filtering requirements - this eliminates the need to duplicate policies across 50 accounts. AWS RAM (D) is the correct service for sharing AWS Network Firewall policies and rule groups across multiple accounts within an organization, acting as the distribution mechanism. Enabling sharing within Organizations (E) is a prerequisite step that must be performed in AWS RAM before resources can be shared across all accounts in the organization without requiring individual account invitations.

Why the distractors are wrong:

  • A is wrong because creating a policy in each account defeats the purpose of minimizing resources - it creates 50 separate policies instead of one.
  • B is wrong because SCPs (Service Control Policies) are used to restrict permissions, not to share resources across accounts.
  • F is wrong because OUs are organizational containers for grouping accounts - they are not a mechanism for sharing firewall resources.

Memory Tip 🧠

Think of it as "Create → Share → Enable": Create once in the management account, Share via RAM, and Enable org-wide sharing. When you see "minimize policies + multiple accounts + Organizations," always think RAM + management account, not SCPs or per-account creation.

Topics

#AWS Network Firewall#AWS Organizations#AWS Resource Access Manager (RAM)#Centralized Network Security

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ANS-C01 PracticeBrowse All ANS-C01 Questions