ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 101 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 101
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company recently created a new AWS Control Tower landing zone in a new organization in AWS Organizations. The landing zone must be able to demonstrate compliance with the Center for Internet Security (CIS) Benchmarks for AWS Foundations.

The company’s security team wants to use AWS Security Hub to view compliance across all accounts. Only the security team can be allowed to view aggregated Security Hub findings. In addition, specific users must be able to view findings from their own accounts within the organization. All accounts must be enrolled in Security Hub after the accounts are created.

Which combination of steps will meet these requirements in the MOST automated way? (Choose three.)

  • A. Turn on trusted access for Security Hub in the organization’s management account. Create a new security account by using AWS Control Tower. Configure the new security account as the delegated administrator account for Security Hub. In the new security account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.
  • B. Turn on trusted access for Security Hub in the organization’s management account. From the management account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.
  • C. Create an AWS IAM Identity Center (AWS Single Sign-On) permission set that includes the required permissions. Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.
  • D. Create an SCP that explicitly denies any user who is not on the security team from accessing Security Hub.
  • E. In Security Hub, turn on automatic enablement.
  • F. In the organization’s management account, create an Amazon EventBridge rule that reacts to the CreateManagedAccount event. Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hub. Configure the EventBridge rule to invoke the Lambda function.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️
by Dimidrol at May 13, 2023, 9:36 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
emupsx1
Highly Voted 1 year, 9 months ago
The answer is ACE because: A few hours ago, I just finished the DOP-C02 exam. My score is 1000 points. This question has come up, I choose ACE.
upvoted 17 times
BaburTurk
1 year, 7 months ago
bot account, Pics or it didn't happen,
upvoted 7 times
Gomer
10 months, 1 week ago
Either a bot or a bot for brains. Same useless comments made on multiple questions.
upvoted 3 times
...
...
...
eugene2owl
Most Recent 4 months, 3 weeks ago
Selected Answer: ADE
I prefer "D" over "C", because no-one asks to enable SSO (which is very complex to organise and maintain)
upvoted 1 times
...
auxwww
9 months ago
Selected Answer: ACE
A - Only security team needs access to findings org wide - hence delegated account C - Allow security team members access to delegated account for Security hub using Identity center of control tower E - Each new account needs security hub for it's own users to access and also for aggregation across org
upvoted 4 times
...
zijo
10 months, 2 weeks ago
Automatic enablement in AWS Security Hub refers to the feature that allows AWS Security Hub to be automatically enabled for new and existing AWS accounts that are part of an organization in AWS Organizations. This feature simplifies the process of onboarding multiple accounts into Security Hub, ensuring consistent security posture and compliance across the organization.
upvoted 3 times
...
seetpt
11 months, 3 weeks ago
Selected Answer: ACE
ACE is correct
upvoted 3 times
...
didek1986
1 year ago
Selected Answer: ACF
ACF E - ensures that all new accounts are automatically enrolled in Security Hub (same as F) but it does not address the requirement for specific users to view findings from their own accounts
upvoted 2 times
zijo
10 months, 2 weeks ago
I think C will take care of this. "it does not address the requirement for specific users to view findings from their own accounts"
upvoted 1 times
...
...
didek1986
1 year ago
ACF E - ensures that all new accounts are automatically enrolled in Security Hub (same as F) but it does not address the requirement for specific users to view findings from their own accounts
upvoted 1 times
...
dkp
1 year ago
Selected Answer: ACE
ace are correct answer
upvoted 2 times
...
thanhnv142
1 year, 2 months ago
ACE are correct: <Only the security team can be allowed to view aggregated Security Hub findings> means we need a delegated admin. <All accounts must be enrolled in Security Hub after the accounts are created> and <in the MOST automated way> means we need enable automatic enablement B: no mention of delegated admin D: This options denied access of the security team, which is irrelevant F: This option's result is the same as in option E, but more complicated
upvoted 3 times
...
2pk
1 year, 5 months ago
Selected Answer: ADE
According to this article .. The Delegated account users have access in ANY account while the users under own account can view their own findings. So, there is no need to setup IAM policies for Security account users. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-allowed-actions.html
upvoted 1 times
...
YR4591
1 year, 5 months ago
Selected Answer: ACE
A - Create delegate account for the security hub C - Give access to users to security using permissions sets E - Use auto enable so every new account will be monitored by security hub
upvoted 3 times
...
sb333
1 year, 9 months ago
Selected Answer: ACE
ACE are the correct answers.
upvoted 2 times
...
habros
1 year, 9 months ago
Selected Answer: ACE
ACE. Reason being, it is a landing zone and AWS SSO (IAM IC) is already part of the Control Tower product! Add security dept users as a SSO group and attach the security permission set to access security hub
upvoted 2 times
...
Wardove
1 year, 10 months ago
Selected Answer: ACE
with Control Tower comes the Identity Center implementation with default Identity Center directory.
upvoted 3 times
...
robotgeek
1 year, 11 months ago
Selected Answer: ADE
B is not the typical way AWS separates responsabilities in multi account (management, sec, audit) C is related with Active Directory E is more automated than F
upvoted 2 times
jnv007
1 year, 9 months ago
Identity Center is not exclusively related to Active Directory An SCP can only prevent access but doesnt enable any access, so D is not sufficient ACE for me https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html
upvoted 1 times
...
...
Kodoma
1 year, 11 months ago
ACF IS MORE EFFICIENT
upvoted 4 times
...
Dimidrol
1 year, 11 months ago
Selected Answer: ADE
Ade for me
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago