Q20 — AWS SAP-C02 Ch.3
Question 20 of 75 | ← Chapter 3
Q245. A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company's production OU. Which solution will meet this requirement?
- A. Turn on mandatory controls (guardrails) in AWS Control Tower. Apply the mandatory controls (guardrails) to the production OU
- B. Enable the appropriate control (guardrail) from the list of strongly recommended controls (guardrails) in AWS Control Tower. Apply the control (guardrail) to the production OU ✓
- C. Use AWS Config to create a new mandatory control (guardrail). Apply the AWS Config rule to all accounts in the production OU
- D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU
Correct Answer: B. Enable the appropriate control (guardrail) from the list of strongly recommended controls (guardrails) in AWS Control Tower. Apply the control (guardrail) to the production OU
Explanation
AWS Control Tower provides guardrails that help enforce governance and policy enforcement in an organization. These guardrails are pre-configured policies and best practices that can be enabled to ensure compliance with security and operational standards. To implement a policy that detects Amazon RDS DB instances that are not encrypted at rest in the production OU, the appropriate guardrail from the list of strongly recommended controls (guardrails) should be enabled in AWS Control Tower. This guardrail will have a rule specifically designed to detect unencrypted RDS DB instances. Option A is incorrect because it mentions turning on mandatory controls (guardrails) in AWS Control Tower. While mandatory controls are important for governance and policy enforcement, they may not specifically include a rule for detecting unencrypted RDS DB instances. Option C is incorrect because it suggests using AWS Config to create a new mandatory control (guardrail) and applying it to all accounts in the production OU. While AWS Config can be used to create custom rules, it is not necessary in this case as there are pre-existing guardrails available in AWS Control Tower. Option D is incorrect because it suggests creating a custom SCP (Service Control Policy) in AWS Control Tower. While SCPs can be used to enforce fine-grained permissions and restrictions, they are not specifically designed for detecting unencrypted RDS DB instances. The guardrails in AWS Control Tower provide a more appropriate solution for this requirement.