An enterprise is adopting AWS Control Tower to manage its multi-account environment. The security team wants to automatically detect and remediate any Amazon S3 buckets that do not have versioning enabled. How should this be implemented within the Control Tower environment?

Answer options:

Write a custom AWS Lambda function and deploy it to every account using CloudFormation StackSets.

Enable the strongly recommended guardrail for S3 versioning in AWS Control Tower.

Use AWS Systems Manager Patch Manager to enforce S3 versioning.

Create an SCP to deny the s3:PutBucketVersioning action.

How to approach this question

Leverage native Control Tower features.

Full Answer

B.Enable the strongly recommended guardrail for S3 versioning in AWS Control Tower.✓ Correct

AWS Control Tower uses guardrails (preventative and detective) to enforce policies. Enabling the built-in guardrail for S3 versioning is the most operationally efficient way to meet this requirement.

Common mistakes

Over-engineering a custom Lambda solution.

Question 33 All questions Question 35

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...Hard Q02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...Hard Q03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...Medium Q04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...Easy Q05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard

View all 75 questions →