Q57 — AWS DOP-C02 Ch.2

Question 57 of 100 | ← Chapter 2

A company operates an organization within AWS Organizations, consisting of many accounts belonging to different business units. The organization has a dedicated master AWS account. The company needs to enforce server-side encryption for Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues created or updated in the AWS cloud across accounts in an organizational unit (OU). Which solution must be implemented before CloudFormation stack operations to enforce this policy?

Correct Answer: A. Enable trusted access for AWS CloudFormation. Create a CloudFormation hook to enforce server-side encryption for EBS volumes and SQS queues. Deploy the hook across accounts in the OU using StackSets.

Explanation

This question involves cross-account policy enforcement in AWS Organizations, requiring enforcement of resource-level security policies during CloudFormation deployments. AWS documentation states that CloudFormation Hooks enable policy validation prior to resource creation, ensuring compliance before provisioning. Combined with trusted access and AWS CloudFormation StackSets, hooks can be deployed en masse to all accounts in a target OU. Option B relies on post-deployment monitoring via Config rules, failing to meet the 'before CloudFormation stack operation' requirement. Option C’s SCP is overly broad and lacks granularity for specific resource types like EBS volumes and SQS queues. Option D introduces a custom, non-integrated solution. Option A’s hook mechanism intercepts noncompliant operations at resource creation time, satisfying the prerequisite condition stated in the question.