Q74 — AWS DOP-C02 Ch.2

Question 74 of 100 | ← Chapter 2

A company uses AWS to host digital workloads. Each application team hosts its applications in its own AWS account. Accounts are consolidated into a single organization in AWS Organizations. The company wants to enforce security standards across the organization. To prevent noncompliance due to misconfigurations, the company mandates AWS CloudFormation. Support teams must be able to identify and resolve application-related issues via the AWS Management Console, minimizing impact on production environments. A DevOps engineer must implement a solution to detect any AWS service configuration errors causing noncompliance nearly in real time. The solution must automatically remediate such errors within 15 minutes of detection. The solution must track noncompliant resources and events in a dashboard with accurate timestamps. Which solution meets these requirements with minimal development effort?

Correct Answer: C. Enable AWS Config configuration recorders in all AWS accounts to identify noncompliant resources. Enable AWS Security Hub in all AWS accounts using the --no-enable-default-standards option. Set up AWS Config managed rules and custom rules. Configure AWS Config remediation to automatically remediate violations. For tracking, configure the Security Hub dashboard in the designated Security Hub administrator account.

Explanation

AWS Config continuously monitors resource configurations and records changes, and integrates natively with AWS Security Hub to aggregate compliance status across accounts. After enabling the configuration recorder, AWS Config evaluates resources against defined rules and triggers automatic remediation upon detecting deviations. AWS Security Hub provides a centralized dashboard aggregating security findings and timestamps across all accounts. Option C leverages native integration between AWS Config and Security Hub to satisfy near-real-time detection, automatic remediation, and unified tracking—without requiring custom development. Other options rely on log analysis or periodic polling, failing to guarantee near-real-time responsiveness.