Q56 — AWS DOP-C02 Ch.3

Question 56 of 100 | ← Chapter 3

A company needs to ensure VPC flow logs are enabled for both existing and new VPCs across its AWS accounts. The company uses AWS CloudFormation stacks to manage VPCs. The company needs a solution applicable to any VPC created by any IAM user.

Correct Answer: C. Enable AWS Config. Create an AWS Config rule to check whether VPC flow logs are enabled. Configure automatic remediation to enable VPC flow logs.

Explanation

This question evaluates automated compliance management. AWS Config provides continuous monitoring and evaluation of resource configurations, allowing rules to verify whether resources meet specific criteria. When a VPC is detected without flow logs enabled, the configured automatic remediation can invoke the appropriate API to enable them. This approach works regardless of how the VPC was created—via console, CLI, CloudFormation, or other tools—ensuring universal coverage. Option A only applies to VPCs deployed via that specific CloudFormation stack. Options B and D restrict permissions but do not actively enforce or remediate configuration. Option C achieves mandatory, broad-spectrum compliance through continuous assessment and automatic correction, satisfying the requirement for universality and enforcement.