Q92 — AWS DOP-C02 Ch.2

Question 92 of 100 | ← Chapter 2

A DevOps engineer needs to apply a set of core security controls across a group of existing AWS accounts. The accounts reside in an AWS Organizations organization. Individual teams will use the AdministratorAccess AWS managed policy to manage their own accounts. The solution must enable AWS CloudTrail and AWS Config in all applicable AWS Regions. Individual account administrators must not be able to edit or delete baseline resources. However, individual account administrators must retain the ability to edit or delete their own CloudTrail trails and AWS Config rules.

Correct Answer: C. Designate an AWS Config management account. Use CloudFormation StackSets to create AWS Config recorders in all accounts. Use the AWS Config management account to deploy AWS Config rules across the organization. Create an organization-wide CloudTrail trail in the organization’s management account. Apply a Service Control Policy (SCP) to prevent modification or deletion of AWS Config recorders.

Explanation

This question tests centralized security control management in multi-account AWS environments. AWS documentation states that CloudFormation StackSets deployed from the management account ensure consistent resource provisioning across accounts, while Service Control Policies (SCPs) restrict member account permissions. Option C uses the designated AWS Config management account to centrally deploy AWS Config recorders and rules, establishes an organization-wide CloudTrail trail, and applies SCPs to protect critical baseline resources — while still permitting individual account administrators to manage their own CloudTrail trails and AWS Config rules. Other options fail to simultaneously satisfy mandatory service activation, protection of baseline resources, and delegation of administrative control over account-specific resources.