ExpertHard1 markMultiple Choice
AWS SAP-C02 · Question 24 · Domain 2.1: Deployment Strategy
A company requires that all infrastructure deployments are scanned for security vulnerabilities and compliance violations before being provisioned in AWS. They use AWS CloudFormation. How can this be automated in their CI/CD pipeline?
A company requires that all infrastructure deployments are scanned for security vulnerabilities and compliance violations before being provisioned in AWS. They use AWS CloudFormation. How can this be automated in their CI/CD pipeline?
Answer options:
A.
Use AWS Config rules to evaluate the resources after deployment.
B.
Integrate AWS CloudFormation Guard in the pipeline to evaluate templates against policy rules before deployment.
C.
Use Amazon Inspector to scan the CloudFormation templates.
D.
Use AWS Trusted Advisor to block non-compliant deployments.
How to approach this question
Look for the tool designed specifically for pre-deployment CloudFormation scanning.
Full Answer
B.Integrate AWS CloudFormation Guard in the pipeline to evaluate templates against policy rules before deployment.✓ Correct
Integrate AWS CloudFormation Guard in the pipeline to evaluate templates against policy rules before deployment.
AWS CloudFormation Guard is a policy-as-code evaluation tool that checks CloudFormation templates for compliance prior to deployment.
Common mistakes
Choosing AWS Config, which evaluates resources after they are provisioned.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6
75 questions · hints · full answers · grading
More questions from this exam
Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...HardQ02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...HardQ03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...MediumQ04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...HardQ05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium