A company is migrating to AWS. The company created a central networking account in an organization in AWS Organizations with all features enabled. The networking account has a VPC that includes a custom firewall appliance. The company configured the inbound routes from the Internet to route to the appliance.
The company will set up new AWS accounts for the company's migrated services. All the new accounts will share the same new OU. Users of the new accounts will assume IAM roles that have the AdministratorAccess policy.
All inbound traffic from the internet in all new accounts must be routed through the central networking account. The company needs a solution that does not deploy an internet gateway into the new accounts. The solution must not allow changes to the route tables for any public subnets.
Which solution will meet these requirements?
A. Create an IAM permissions boundary that blocks access to the CreateInternetGateway action. Assign the permissions boundary to the IAM roles in each account. Configure AWS Resource Access Manager (AWS RAM) to share the route table from the networking account. Assign the route table to any new public subnets in the new accounts that require inbound access.
B. Create an SCP that allows only the specific actions that users need in the new accounts. Configure VPC peering with any of the new VPCs in the new accounts. Configure the route tables that are attached to the public subnets in the networking account to point traffic to the new VPCs that require inbound access.
C. Create an SCP that blocks the creation and attachment of internet gateways. Assign the SCP to the OU. Configure AWS Resource Access Manager (AWS RAM) to share the public subnets from the networking account. Use the OU ID as the principal. Use the shared subnets for resources that require inbound internet access.
D. Update the IAM roles with an inline policy that adds a Deny statement to block the ReplaceRoute action. Create a transit gateway. Enable appliance mode on the transit gateway. Attach the transit gateway to the networking account's VPC and to each of the new accounts. Route traffic from the internet to the transit gateway for any subnet that requires inbound access.
Answer (1)
This question involves creating a network architecture in AWS that routes inbound internet traffic through a central networking account using AWS Organizations. Given the requirements, we need to find a solution that meets the following criteria:
No Internet Gateway: The solution should not deploy an internet gateway in the new accounts.
Route Tables Management: There should be no changes to route tables for public subnets in the new accounts.
Centralized Traffic Management: All inbound internet traffic should route through the central networking account's custom firewall appliance.
Let's analyze each of the provided options:
Option A: It involves sharing the route table from the networking account and using an IAM permissions boundary to block internet gateway creation. While this seems logical, it does not address routing all internet traffic through the central account's custom appliance effectively.
Option B: This option suggests using VPC peering and changing route tables in the networking account to point traffic to new VPCs. However, modifying route tables in new accounts would conflict with the requirement not to change them for any public subnets.
Option C: Sharing public subnets through AWS RAM and enforcing a policy to block internet gateway creation is a viable option. By using the public subnets shared across new accounts, it ensures all traffic passes through the central networking account without modifying route tables or deploying new internet gateways.
Option D: This option involves an inline policy to block route modifications and using a transit gateway for routing. The appliance mode on the transit gateway and direct routing can appropriately channel traffic as needed. However, it requires setting up a transit gateway across multiple accounts.
Chosen Option:
Option C is the most suitable solution. It leverages AWS Resource Access Manager to share public subnets from the central networking account, thus ensuring that all inbound traffic routes through this account. Additionally, an SCP (Service Control Policy) blocks internet gateway deployment in the new accounts, aligning perfectly with the provided requirements.
This setup effectively centralizes traffic management via the existing custom firewall appliance in the central account without making any route table changes in the new accounts or deploying new internet gateways in these accounts.
