Q56 — AWS DOP-C02 Ch.3
Question 56 of 100 | ← Chapter 3
A company needs to ensure VPC flow logs are enabled for both existing and new VPCs across its AWS accounts. The company uses AWS CloudFormation stacks to manage VPCs. The company needs a solution applicable to any VPC created by any IAM user.
- A. Add an AWS::EC2::FlowLog resource to the CloudFormation stack that creates the VPC.
- B. Create an organization in AWS Organizations. Add the company’s AWS accounts to the organization. Create an SCP to prevent users from modifying VPC flow logs.
- C. Enable AWS Config. Create an AWS Config rule to check whether VPC flow logs are enabled. Configure automatic remediation to enable VPC flow logs. ✓
- D. Create an IAM policy to deny API calls related to VPC flow logs. Attach the IAM policy to all IAM users.
Correct Answer: C. Enable AWS Config. Create an AWS Config rule to check whether VPC flow logs are enabled. Configure automatic remediation to enable VPC flow logs.
Explanation
This question evaluates automated compliance management. AWS Config provides continuous monitoring and evaluation of resource configurations, allowing rules to verify whether resources meet specific criteria. When a VPC is detected without flow logs enabled, the configured automatic remediation can invoke the appropriate API to enable them. This approach works regardless of how the VPC was created—via console, CLI, CloudFormation, or other tools—ensuring universal coverage. Option A only applies to VPCs deployed via that specific CloudFormation stack. Options B and D restrict permissions but do not actively enforce or remediate configuration. Option C achieves mandatory, broad-spectrum compliance through continuous assessment and automatic correction, satisfying the requirement for universality and enforcement.