Q96 — AWS DOP-C02 Ch.1
Question 96 of 100 | ← Chapter 1
A company requires its internal business teams to deploy resources only through pre-approved AWS CloudFormation templates. When resources drift from their expected state, the security team needs automated monitoring.
- A. Allow users to deploy CloudFormation stacks only using a CloudFormation service role. Use CloudFormation drift detection to detect when resources deviate from their expected state.
- B. Allow users to deploy CloudFormation stacks only using a CloudFormation service role. Use AWS Config rules to detect when resources deviate from their expected state.
- C. Allow users to deploy CloudFormation stacks only using AWS Service Catalog. Enforce launch constraints. Use AWS Config rules to detect when resources deviate from their expected state. ✓
- D. Allow users to deploy CloudFormation stacks only using AWS Service Catalog. Enforce template constraints. Use Amazon EventBridge notifications to detect when resources deviate from their expected state.
Correct Answer: C. Allow users to deploy CloudFormation stacks only using AWS Service Catalog. Enforce launch constraints. Use AWS Config rules to detect when resources deviate from their expected state.
Explanation
AWS Service Catalog enables centralized governance by allowing organizations to provision approved IT services—including CloudFormation templates—while enforcing constraints (e.g., launch constraints restrict deployment methods). AWS Config continuously evaluates resource configurations against desired states and triggers alerts on drift, providing automated, ongoing compliance monitoring. Option C combines Service Catalog’s deployment control with AWS Config’s drift detection—directly fulfilling both the approval enforcement and automated monitoring requirements. Option D uses EventBridge notifications, which lack proactive drift assessment capability. Options A and B omit template governance: CloudFormation service roles do not enforce template approval, and drift detection applies only to stacks deployed via CloudFormation—not all resources.