ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.4: Multi-Account EnvironmentGovernanceControl TowerSecurity

AWS SAP-C02 · Question 28 · Domain 1.4: Multi-Account Environment

An enterprise is using AWS Control Tower to manage its multi-account environment. A new compliance regulation requires that all Amazon S3 buckets in the organization must have versioning enabled. If a user attempts to create a bucket without versioning, the creation must be blocked. Which mechanism should the Architect use to enforce this?

Answer options:

A.

Enable the appropriate AWS Control Tower preventive guardrail (SCP) that denies S3 bucket creation if versioning is not enabled.

B.

Enable an AWS Control Tower detective guardrail (AWS Config rule) to flag buckets without versioning.

C.

Create an IAM permissions boundary and attach it to all users in the organization.

D.

Use AWS CloudTrail to trigger a Lambda function that enables versioning immediately after a bucket is created.

How to approach this question

Distinguish between preventive (SCP) and detective (Config) controls in Control Tower.

Full Answer

A.Enable the appropriate AWS Control Tower preventive guardrail (SCP) that denies S3 bucket creation if versioning is not enabled.✓ Correct
Enable the appropriate AWS Control Tower preventive guardrail (SCP) that denies S3 bucket creation if versioning is not enabled.
AWS Control Tower uses guardrails to enforce governance. Preventive guardrails are implemented using Service Control Policies (SCPs) and ensure that accounts comply with policies by blocking non-compliant actions (e.g., denying the `s3:CreateBucket` action if versioning is not specified). Detective guardrails (AWS Config rules) only detect non-compliance after the resource is created.

Common mistakes

Confusing detective controls (Config) with preventive controls (SCPs).
27All questions29

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →