Q14 — AWS DOP-C02 Ch.1
Question 14 of 100 | ← Chapter 1
A company uses AWS Organizations to manage its AWS accounts. It has enabled AWS Config across all member accounts using AWS CloudFormation StackSets. The company has enabled trusted access for AWS Config in Organizations and designated a member account as the delegated administrator for AWS Config.
- A. Create a CloudFormation template containing AWS Config rules and remediation actions. Deploy the template using CloudFormation StackSets from the Organizations management account.
- B. Create an AWS Config conformance pack containing AWS Config rules and remediation actions. Deploy the conformance pack using CloudFormation StackSets from the Organizations management account.
- C. Create a CloudFormation template containing AWS Config rules and remediation actions. Deploy the template using AWS Config from the delegated administrator account.
- D. Create an AWS Config conformance pack containing AWS Config rules and remediation actions. Deploy the conformance pack using AWS Config from the delegated administrator account. ✓
Correct Answer: D. Create an AWS Config conformance pack containing AWS Config rules and remediation actions. Deploy the conformance pack using AWS Config from the delegated administrator account.
Explanation
Per the scenario, the company requires a unified, centrally managed AWS Config rule baseline across all current and future member accounts, with remediation actions governed exclusively by the central (delegated admin) account—and non-admin users in member accounts must not be able to modify those rules. Option D fulfills all criteria: AWS Config conformance packs encapsulate rules and remediations as a single, versioned unit; deploying them via AWS Config (not CloudFormation) from the delegated admin account ensures centralized governance, automatic propagation to new accounts, and immutability for non-admin users in member accounts. Options A and B use StackSets but bypass AWS Config’s native conformance pack lifecycle and delegation model. Option C misuses CloudFormation for rule deployment instead of AWS Config’s native mechanism. Therefore, D is correct.