Q36 — AWS DOP-C02 Ch.3

Question 36 of 100 | ← Chapter 3

A company manages AWS accounts for application teams within an AWS Control Tower environment. Each application team is responsible for securing its own AWS account. A DevOps engineer needs to enable Amazon GuardDuty for AWS accounts where it has not yet been enabled. The DevOps engineer is using AWS CloudFormation StackSets from the AWS Control Tower management account. How should the DevOps engineer configure the CloudFormation template to prevent failures during StackSet deployments?

Correct Answer: A. Create a CloudFormation custom resource that invokes an AWS Lambda function. Configure the Lambda function to conditionally enable GuardDuty only if it is not already enabled in the account.

Explanation

This question tests the ability to securely deploy GuardDuty across multiple accounts using AWS CloudFormation StackSets. AWS documentation states that when dynamic resource creation based on runtime state is required, custom resources must be used to implement conditional logic. Option A uses a Lambda function to dynamically detect GuardDuty activation status in the target account and enables it only if disabled, avoiding API conflicts from duplicate enablement attempts. Option B’s Conditions cannot retrieve real-time resource state. Option C’s Fn::GetAtt does not support retrieving GuardDuty configuration status. Option D’s static list cannot adapt dynamically to changing account environments. AWS officially recommends custom resources for such dynamic deployment scenarios.