Examtopics

AWS Certified Security - Specialty

  • Topic 1 Question 220

    A company needs to securely deploy resources and workloads across AWS accounts. The accounts are in an organization in AWS Organizations.

    The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requirements and specific guidelines for resource and workload configuration and creation.

    Which solution will meet these requirements?

    • Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation.

    • Use an AWS CodePipeline pipeline to test and deploy IaC defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs.

    • Create an IAM permissions boundary to prevent the creation of misconfigured resources through CloudFormation and to enforce the tagging requirements. Apply the permissions boundary to all account roles. Use AWS Config rules to identify existing resources that are in a misconfigured state.

    • Use AWS Service Catalog with CloudFormation to manage access to approved architecture configurations. Provision Service Catalog portfolios to the accounts across the organization. Use AWS Config rules to enforce the tagging requirements and other resource configuration policies across accounts.

    シャッフルモード