exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 220 discussion

A company needs to securely deploy resources and workloads across AWS accounts. The accounts are in an organization in AWS Organizations.

The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requirements and specific guidelines for resource and workload configuration and creation.

Which solution will meet these requirements?

  • A. Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation.
  • B. Use an AWS CodePipeline pipeline to test and deploy IaC defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs.
  • C. Create an IAM permissions boundary to prevent the creation of misconfigured resources through CloudFormation and to enforce the tagging requirements. Apply the permissions boundary to all account roles. Use AWS Config rules to identify existing resources that are in a misconfigured state.
  • D. Use AWS Service Catalog with CloudFormation to manage access to approved architecture configurations. Provision Service Catalog portfolios to the accounts across the organization. Use AWS Config rules to enforce the tagging requirements and other resource configuration policies across accounts.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
molerowan
2 days, 20 hours ago
Selected Answer: D
AWS Service Catalog with CloudFormation: Approved Architectural Patterns: Define standardized CloudFormation templates (products) in Service Catalog, ensuring all deployments adhere to approved configurations and tagging requirements. Centralized Governance: Distribute portfolios to accounts in the organization, restricting users to pre-approved IaC templates. AWS Config for Compliance Enforcement: Tagging and Configuration Rules: Use AWS Config managed/custom rules (e.g., required-tags, cloudformation-stack-drift) to detect and remediate non-compliant resources. Cross-Account Visibility: Aggregate findings in a delegated administrator account for centralized monitoring.
upvoted 1 times
molerowan
2 days, 20 hours ago
A: Stack policies prevent resource updates, not creation. EventBridge detects non-IaC activity but doesn’t enforce compliance. B: AWS Config + SCPs are reactive and lack granular control over IaC templates. C: Permissions boundaries limit IAM privileges but don’t enforce tags or configurations natively.
upvoted 1 times
...
...
Bachhu
2 months, 1 week ago
Selected Answer: D
It’s D. As it is applicable for AWS region.
upvoted 1 times
...
Pmktechno
2 months, 2 weeks ago
Selected Answer: D
AWS Service Catalog: This service allows you to create and manage catalogs of approved products that can be deployed using CloudFormation. This ensures that only approved architectural patterns are used. Provisioning Portfolios: By provisioning Service Catalog portfolios to the accounts across the organization, you can control which resources and configurations are available for deployment. AWS Config Rules: These rules can be used to enforce tagging requirements and other configuration policies, ensuring compliance across all accounts. This approach provides a comprehensive solution for managing and enforcing infrastructure standards and compliance across multiple AWS accounts.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago