Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 66 discussion

C This solution meets the requirements in the most operationally efficient way. It uses AWS CloudFormation StackSets to deploy AWS Config recorders in all accounts and AWS Config rules to the organization, which can be centrally managed from an AWS Config management account. A CloudTrail organization trail can also be created in the organization’s management account to collect logs from all accounts. An SCP can be used to deny modification or deletion of the AWS Config recorders, ensuring that the baseline resources cannot be modified or deleted by individual account administrators. However, individual account administrators can still edit or delete their own CloudTrail trails and AWS Config rules.

When Control Tower is enabled, AWS-GR_CLOUDTRAIL_ENABLED and AWS-GR_CONFIG_ENABLED will enable CloudTrail and Config in all available regions. The guardrails are automatically set to disallow changes to baseline resources. A, C, D - No mention about baseline resource.

my 2 cents: "AWS CloudTrail and AWS Config must be turned on in all available AWS Regions" these are the baseline resources which cannot be deleted. Definitely operatioanlly efficient to have a designated AWS config management account and organizational trail. Then the deny with SCP will prevent baseline resource deletion, but admins can still edit their own trails and config rules. Why not D: SCP is used, which is good — but the condition in the SCP to allow updates only by "administrators of the management account" is hard to implement cleanly

For the people fighting over Option C or D: Option D is a better choice because it deploys all the required baseline resources—both CloudTrail and AWS Config—across every account using CloudFormation StackSets, and then locks them down with an SCP. This setup makes sure that only the management account’s administrators can change or remove these core security controls. Meanwhile, individual account admins can still manage any extra CloudTrail trails or Config rules they create on their own. But, Option C, mainly focuses on AWS Config recorders and doesn't clearly cover CloudTrail, so it does not offer us as complete a solution.

Option D: Create an AWS CloudFormation Template: Develop a template that defines the standard resources, including CloudTrail and AWS Config, configured to operate in all available AWS Regions. Deploy Using CloudFormation StackSets: Utilize AWS CloudFormation StackSets from the organization's management account to deploy the template across all member accounts. This approach ensures consistent configuration and simplifies management. Implement a Service Control Policy (SCP): Establish an SCP that restricts updates or deletions of CloudTrail and AWS Config resources. This policy should allow only the organization's management account administrators to perform such actions, preventing individual account administrators from making unauthorized changes.

This is the most operationally efficient solution. Using CloudFormation StackSets ensures standard resources are consistently deployed, and SCPs provide the necessary restrictions and flexibility.

I think C because the SCP defines the principal being an administrator from the management account, not the individual account.

D. CloudFormation StackSets + SCP with conditional permissions: Centralized deployment of resources SCP prevents modifications to core resources Allows admins to edit their own resources (by implication) Matches all requirements efficiently

D is correct

I think should be C Keywords: "an existing set of AWS accounts"

must be D

I agree with C

Option C is the most operationally efficient and meets all the requirements: ensuring CloudTrail and AWS Config are enabled in all regions, preventing the deletion or editing of baseline resources by individual account administrators, while still allowing them the flexibility to manage their own specific resources. This approach uses centralized control mechanisms (AWS Config management account and organization trail for CloudTrail) and leverages SCPs for enforcement, aligning with best practices for security and governance in AWS Organizations.

Im going with D. SCPs is what helps us here

D for me. I think C is incorrect because "However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Config rules." requirement is not satisfied because this answer has nothing about individual account administrators are able to edit their own CloudTrail trails. Organisational trail can be edited only from management or delegated administrator account.

C for sure

D is correct: This denies modifications to AWS config or cloudtrail unless the principal is the management account A: No explicitly mention of denying modifications to Config or cloudtrail B: No explicitly mention of denying modifications to Config or cloudtrail C: < Create a CloudTrail organization trail in the organization’s management account>: This means the deny rule only affects the management account