The company needs centralized, scalable protection acrossmany accountsfor bothexisting and futureAPI Gateway resources, with minimal ongoing effort.AWS Firewall Manageris specifically designed for this: it can centrally deploy and enforceAWS WAFprotections across AWS Organizations. By creating a Firewall ManagerWAF policy, the security team defines a single set of controls (for example, AWS Managed Rules for SQL injection protection andAWS Bot Control) and applies them automatically to in-scope resources across member accounts.

Critically, Firewall Manager can be configured toauto-remediate noncompliant resources, ensuring that if new API Gateway stages are created later, they are automatically brought under the policy without manual per-account work. This directly meets the “existing and future resources” requirement.

Options A, C, and D introduce higher operational overhead: per-API ACL creation plus AWS Config remediation (A) is more moving parts; Service Catalog plus detection/remediation (C) is indirect and heavy; and Security Hub + EventBridge + Lambda automation (D) is custom engineering and maintenance. Firewall Manager is the AWS-native centralized governance solution for multi-account WAF rollout and enforcement.