Q36 — AWS DOP-C02 Ch.3
Question 36 of 100 | ← Chapter 3
A company manages AWS accounts for application teams within an AWS Control Tower environment. Each application team is responsible for securing its own AWS account. A DevOps engineer needs to enable Amazon GuardDuty for AWS accounts where it has not yet been enabled. The DevOps engineer is using AWS CloudFormation StackSets from the AWS Control Tower management account. How should the DevOps engineer configure the CloudFormation template to prevent failures during StackSet deployments?
- A. Create a CloudFormation custom resource that invokes an AWS Lambda function. Configure the Lambda function to conditionally enable GuardDuty only if it is not already enabled in the account. ✓
- B. Use the Conditions section of the CloudFormation template to enable GuardDuty in accounts where it is not yet enabled.
- C. Use the CloudFormation Fn::GetAtt intrinsic function to check whether GuardDuty is enabled. If not enabled, use the Resources section of the CloudFormation template to enable GuardDuty.
- D. Manually discover the list of AWS account IDs where GuardDuty is not enabled. Import this list into the CloudFormation template using the CloudFormation Fn::ImportValue intrinsic function to skip deployment for those AWS accounts.
Correct Answer: A. Create a CloudFormation custom resource that invokes an AWS Lambda function. Configure the Lambda function to conditionally enable GuardDuty only if it is not already enabled in the account.
Explanation
This question tests the ability to securely deploy GuardDuty across multiple accounts using AWS CloudFormation StackSets. AWS documentation states that when dynamic resource creation based on runtime state is required, custom resources must be used to implement conditional logic. Option A uses a Lambda function to dynamically detect GuardDuty activation status in the target account and enables it only if disabled, avoiding API conflicts from duplicate enablement attempts. Option B’s Conditions cannot retrieve real-time resource state. Option C’s Fn::GetAtt does not support retrieving GuardDuty configuration status. Option D’s static list cannot adapt dynamically to changing account environments. AWS officially recommends custom resources for such dynamic deployment scenarios.