ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.4: Multi-Account EnvironmentControl TowerAWS ConfigCompliance

AWS SAP-C02 · Question 14 · Domain 1.4: Multi-Account Environment

An enterprise is using AWS Control Tower to manage its multi-account environment. They need to implement a custom security control: all new Amazon S3 buckets must have S3 Object Lock enabled for compliance reasons. This control is not available as a standard Control Tower guardrail. How should the Solutions Architect implement this automatically across all existing and future accounts?

Answer options:

A.

Create an SCP that denies s3:CreateBucket if the ObjectLockEnabled flag is false, and attach it to the root OU.

B.

Use AWS CloudFormation StackSets to deploy a custom AWS Config rule and an AWS Systems Manager Automation document for remediation to all accounts.

C.

Modify the Control Tower landing zone blueprint to include the custom rule.

D.

Create an Amazon EventBridge rule in the management account to monitor CloudTrail for CreateBucket events and trigger a Lambda function.

How to approach this question

Look for the standard AWS pattern for custom automated remediation across accounts.

Full Answer

B.Use AWS CloudFormation StackSets to deploy a custom AWS Config rule and an AWS Systems Manager Automation document for remediation to all accounts.✓ Correct
Deploy an AWS Config rule using CloudFormation StackSets to detect non-compliant buckets, and use Systems Manager Automation to remediate.
AWS Config rules combined with AWS Systems Manager Automation documents provide a robust framework for detecting and remediating non-compliant resources. CloudFormation StackSets allow deploying this framework across all accounts in an Organization.

Common mistakes

Trying to use SCPs for complex conditional logic that isn't supported by IAM condition keys.
13All questions15

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...HardQ02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...MediumQ03An e-commerce company requires a multi-region active-active architecture for its critical order p...MediumQ04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...HardQ05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium
View all 75 questions →