Q92 — AWS DOP-C02 Ch.2
Question 92 of 100 | ← Chapter 2
A DevOps engineer needs to apply a set of core security controls across a group of existing AWS accounts. The accounts reside in an AWS Organizations organization. Individual teams will use the AdministratorAccess AWS managed policy to manage their own accounts. The solution must enable AWS CloudTrail and AWS Config in all applicable AWS Regions. Individual account administrators must not be able to edit or delete baseline resources. However, individual account administrators must retain the ability to edit or delete their own CloudTrail trails and AWS Config rules.
- A. Create an AWS CloudFormation template defining standard account resources. Deploy the template to all accounts using CloudFormation StackSets from the organization’s management account. Set the stack policy to deny Update:Delete actions.
- B. Enable AWS Control Tower. Register the existing accounts in AWS Control Tower. Grant individual account administrators permissions to manage CloudTrail and AWS Config.
- C. Designate an AWS Config management account. Use CloudFormation StackSets to create AWS Config recorders in all accounts. Use the AWS Config management account to deploy AWS Config rules across the organization. Create an organization-wide CloudTrail trail in the organization’s management account. Apply a Service Control Policy (SCP) to prevent modification or deletion of AWS Config recorders. ✓
- D. Create an AWS CloudFormation template defining standard account resources. Deploy the template to all accounts using CloudFormation StackSets from the organization’s management account. Create an SCP to prevent updating or deleting CloudTrail or AWS Config resources unless the principal is an administrator of the organization’s management account.
Correct Answer: C. Designate an AWS Config management account. Use CloudFormation StackSets to create AWS Config recorders in all accounts. Use the AWS Config management account to deploy AWS Config rules across the organization. Create an organization-wide CloudTrail trail in the organization’s management account. Apply a Service Control Policy (SCP) to prevent modification or deletion of AWS Config recorders.
Explanation
This question tests centralized security control management in multi-account AWS environments. AWS documentation states that CloudFormation StackSets deployed from the management account ensure consistent resource provisioning across accounts, while Service Control Policies (SCPs) restrict member account permissions. Option C uses the designated AWS Config management account to centrally deploy AWS Config recorders and rules, establishes an organization-wide CloudTrail trail, and applies SCPs to protect critical baseline resources — while still permitting individual account administrators to manage their own CloudTrail trails and AWS Config rules. Other options fail to simultaneously satisfy mandatory service activation, protection of baseline resources, and delegation of administrative control over account-specific resources.