Q57 — AWS DOP-C02 Ch.2
Question 57 of 100 | ← Chapter 2
A company operates an organization within AWS Organizations, consisting of many accounts belonging to different business units. The organization has a dedicated master AWS account. The company needs to enforce server-side encryption for Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues created or updated in the AWS cloud across accounts in an organizational unit (OU). Which solution must be implemented before CloudFormation stack operations to enforce this policy?
- A. Enable trusted access for AWS CloudFormation. Create a CloudFormation hook to enforce server-side encryption for EBS volumes and SQS queues. Deploy the hook across accounts in the OU using StackSets. ✓
- B. Deploy a workstation across all accounts. Use AWS Systems Manager to deploy AWS Config rules enforcing server-side encryption for EBS volumes and SQS queues in accounts within the OU.
- C. Write a Service Control Policy (SCP) denying creation of EBS volumes and SQS queues unless they have server-side encryption enabled. Attach the SCP to the OU.
- D. Develop an AWS Lambda function in the authorized administrator account that checks whether EBS volumes and SQS queues enforce server-side encryption. Create an IAM role granting Lambda access to accounts in the OU.
Correct Answer: A. Enable trusted access for AWS CloudFormation. Create a CloudFormation hook to enforce server-side encryption for EBS volumes and SQS queues. Deploy the hook across accounts in the OU using StackSets.
Explanation
This question involves cross-account policy enforcement in AWS Organizations, requiring enforcement of resource-level security policies during CloudFormation deployments. AWS documentation states that CloudFormation Hooks enable policy validation prior to resource creation, ensuring compliance before provisioning. Combined with trusted access and AWS CloudFormation StackSets, hooks can be deployed en masse to all accounts in a target OU. Option B relies on post-deployment monitoring via Config rules, failing to meet the 'before CloudFormation stack operation' requirement. Option C’s SCP is overly broad and lacks granularity for specific resource types like EBS volumes and SQS queues. Option D introduces a custom, non-integrated solution. Option A’s hook mechanism intercepts noncompliant operations at resource creation time, satisfying the prerequisite condition stated in the question.