Q59 — AWS DOP-C02 Ch.1
Question 59 of 100 | ← Chapter 1
A company uses AWS Organizations to manage multiple accounts. Its information security policy requires unencrypted Amazon EBS volumes to be marked non-compliant. A DevOps engineer must automatically deploy a solution and ensure this compliance check remains continuously enforced. Which solution achieves this?
- A. Create an AWS CloudFormation template defining an AWS Inspector rule to check whether EBS encryption is enabled. Store the template in an Amazon S3 bucket shared across all company accounts. Update the account-creation script to reference the CloudFormation template in Amazon S3.
- B. Create an AWS Config organization rule to check whether EBS encryption is enabled and deploy it using the AWS CLI. Create and apply an SCP to prevent stopping or deleting AWS Config across the entire organization. ✓
- C. Create an SCP in the organization. Use condition expressions to deny launching Amazon EC2 instances when EBS volumes are unencrypted. Apply the SCP to all AWS accounts. Use Amazon Athena to analyze AWS CloudTrail output to identify denied Ec2:RunInstances events.
- D. Deploy an IAM role to all accounts from a single trusted account. Use AWS CodePipeline to build a pipeline with an AWS Lambda stage assuming the IAM role to list all EBS volumes in each account. Publish reports to Amazon S3.
Correct Answer: B. Create an AWS Config organization rule to check whether EBS encryption is enabled and deploy it using the AWS CLI. Create and apply an SCP to prevent stopping or deleting AWS Config across the entire organization.
Explanation
AWS Config organization rules enable centralized, consistent monitoring of resource configurations across all accounts in an organization—including EBS encryption status. Deploying such a rule via AWS CLI ensures uniform enforcement. Applying an SCP to prohibit disabling or deleting AWS Config guarantees the rule remains active and effective—meeting the security policy requirement to flag unencrypted EBS volumes as non-compliant. Thus, Option B is correct.