Q96 — AWS DOP-C02 Ch.1

Question 96 of 100 | ← Chapter 1

A company requires its internal business teams to deploy resources only through pre-approved AWS CloudFormation templates. When resources drift from their expected state, the security team needs automated monitoring.

Correct Answer: C. Allow users to deploy CloudFormation stacks only using AWS Service Catalog. Enforce launch constraints. Use AWS Config rules to detect when resources deviate from their expected state.

Explanation

AWS Service Catalog enables centralized governance by allowing organizations to provision approved IT services—including CloudFormation templates—while enforcing constraints (e.g., launch constraints restrict deployment methods). AWS Config continuously evaluates resource configurations against desired states and triggers alerts on drift, providing automated, ongoing compliance monitoring. Option C combines Service Catalog’s deployment control with AWS Config’s drift detection—directly fulfilling both the approval enforcement and automated monitoring requirements. Option D uses EventBridge notifications, which lack proactive drift assessment capability. Options A and B omit template governance: CloudFormation service roles do not enforce template approval, and drift detection applies only to stacks deployed via CloudFormation—not all resources.