Option D. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the delegated administrator account by using AWS Config. Conformance packs are a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region, and across an organization in AWS Organizations. These packs are created and managed from a central account, and help to establish a secure and compliant posture for your accounts. Non-administrator users can view the AWS Config rules within a conformance pack but they cannot modify them. AWS Config conformance packs are therefore a good fit for achieving the desired control and security policy. The other options, while potentially viable for deploying Config rules, do not inherently protect the baseline AWS Config rules from being modified by non-administrator users in the member accounts.

https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html

The question says 'The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules' Does D account for that?

D is correct: <a common baseline of AWS Config rule> means conformance pack. <a member account as a delegated administrator account for AWS Config> means delegated admin A and C: no mentionf of conformance pack B: should deploy this using AWS config and in the delegated account, not the management account

Not sure why some people are saying B. A= CFN cannot protect the config. B= Yes technically, where is the actual CONFIG management plane? Its in the delegated admin account, which is not the management account = delegated admin config account will have no idea of management account config. C= CFN cannot protect config. D= Yes. Delegated CONFIG account can config on orgz level & protect the rules. Only logical option.

D is correct. Deploying via Cloudformation StackSet cannot make sure that the aws config itself is not modified by the member accounts. Deploy aws organizational rule will achieve both permission restriction and auto deployment https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

D is correct https://aws.amazon.com/blogs/mt/deploying-conformance-packs-across-an-organization-with-automatic-remediation/

option B is the most appropriate solution for centrally managing and enforcing the common baseline of AWS Config rules across all member accounts while ensuring that non-administrator users cannot modify the rules.

Can't you use D?

i think its B, because AWS Config conformance packs are a way to package AWS Config rules and remediation actions into a single, shareable entity. With AWS Organizations, you can use CloudFormation StackSets to deploy conformance packs across all member accounts in your organization. This allows you to centrally manage the deployment of AWS Config rules and remediation actions across multiple AWS accounts. By deploying the conformance pack from the Organizations management account, you can ensure that non-administrator users cannot modify the baseline rules deployed to each member account.

D is the right answer