ExpertAWS SAP-C02 · Question 02 · Domain 1.2: Security Controls
A financial services company uses AWS Organizations to manage 100+ accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers must still be able to create resources freely within these constraints. Which combination of actions should the Solutions Architect take to enforce these requirements with the LEAST operational overhead? (Select TWO)
A financial services company uses AWS Organizations to manage 100+ accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers must still be able to create resources freely within these constraints. Which combination of actions should the Solutions Architect take to enforce these requirements with the LEAST operational overhead? (Select TWO)
Answer options:
Create a Service Control Policy (SCP) that denies the s3:PutBucketPublicAccessBlock action and attach it to the root OU.
Deploy an AWS Config rule to automatically remediate unencrypted EBS volumes across all accounts.
Enable EBS encryption by default in all regions for all accounts using AWS Systems Manager Automation.
Create an IAM boundary policy that denies ec2:CreateVolume if the Encrypted flag is false.
Use AWS CloudTrail to monitor for public S3 buckets and trigger a Lambda function to delete them.
Configure AWS Macie to automatically encrypt all EBS volumes.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading