A company has a multi-account environment managed by AWS Control Tower. They want to ensure that any Amazon S3 bucket created in any account automatically has AWS Key Management Service (AWS KMS) default encryption enabled. How can this be enforced centrally?

Answer options:

Create an AWS Config rule in the management account.

Enable the appropriate preventative guardrail (SCP) in AWS Control Tower.

Use AWS CloudFormation StackSets to deploy a bucket policy to all accounts.

Configure Amazon Macie to automatically encrypt unencrypted buckets.

How to approach this question

Identify the Control Tower feature used for preventative enforcement.

Full Answer

B.Enable the appropriate preventative guardrail (SCP) in AWS Control Tower.✓ Correct

AWS Control Tower uses guardrails to enforce policies. Preventative guardrails are implemented using Service Control Policies (SCPs) to ensure resources are created securely from the start.

Common mistakes

Choosing AWS Config, which only detects the issue after the bucket is created.

Question 34 All questions Question 36

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →