Topic 1 Question 321

AWS Certified DevOps Engineer - Professional

Topic 1 Question 321
A company has an organization in AWS Organizations with many Oils that contain many AWS accounts. The organization has a dedicated delegated administrator AWS account.

The company needs the accounts in one OU to have server-side encryption enforced for all Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues that are created or updated on an AWS CloudFormation stack.

Which solution will enforce this policy before a CloudFormation stack operation in the accounts of this OU?
- Activate trusted access to CloudFormation StackSets. Create a CloudFormation Hook that enforces server-side encryption on EBS volumes and SQS queues. Deploy the Hook across the accounts in the OU by using StackSets.
- Set up AWS Config in all the accounts in the OU. Use AWS Systems Manager to deploy AWS Config rules that enforce server-side encryption for EBS volumes and SQS queues across the accounts in the OU.
- Write an SCP to deny the creation of EBS volumes and SQS queues unless the EBS volumes and SQS queues have server-side encryption. Attach the SCP to the OU.
- Create an AWS Lambda function in the delegated administrator account that checks whether server-side encryption is enforced for EBS volumes and SQS queues. Create an IAM role to provide the Lambda function access to the accounts in the OU.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: A
  CloudFormation Hooks allow you to intercept stack operations and perform validations or enforce policies before resources are created or updated. Develop a CloudFormation Hook that checks whether EBS volumes and SQS queues in the CloudFormation templates have SSE enabled. Use CloudFormation StackSets with trusted access to deploy the Hook across all accounts in the OU. The Hook will validate templates and prevent non-compliant resources from being created or updated during stack operations. Applies only to resources managed via CloudFormation, aligning with the company's requirement. Centralized Deployment: StackSets allow you to deploy the Hook across multiple accounts and regions efficiently. Hooks do not interfere with non-CloudFormation operations, limiting the scope to what's required.
  
  👍 3
  f4b18ba2024/11/22
- 正解だと思う選択肢: A
  The answer is A
  
  👍 3
  Changwha2024/11/23
- 正解だと思う選択肢: A
  • CloudFormation StackSets allows you to deploy a CloudFormation template across multiple AWS accounts and regions in your organization. By enabling trusted access to CloudFormation StackSets, you can manage resources and apply policies uniformly across multiple accounts within the OU. • A CloudFormation Hook is a way to enforce specific policies or checks during stack operations. In this case, you can create a Hook to ensure that all EBS volumes and SQS queues created or updated in the CloudFormation stack have server-side encryption enabled. • The StackSet and Hook can be deployed across all accounts in the specified OU, ensuring that server-side encryption is automatically enforced before any stack operation proceeds, thus satisfying the company’s policy.
  
  👍 3
  Ky_242024/12/15
シャッフルモード

ユーザの投票

コメント(4)