Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 99 discussion

A company is using AWS Organizations to centrally manage its AWS accounts. The company has turned on AWS Config in each member account by using AWS CloudFormation StackSets. The company has configured trusted access in Organizations for AWS Config and has configured a member account as a delegated administrator account for AWS Config.

A DevOps engineer needs to implement a new security policy. The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules that contain remediation actions that are managed from a central account. Non-administrator users who can access member accounts must not be able to modify this common baseline of AWS Config rules that are deployed into each member account.

Which solution will meet these requirements?

  • A. Create a CloudFormation template that contains the AWS Config rules and remediation actions. Deploy the template from the Organizations management account by using CloudFormation StackSets.
  • B. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the Organizations management account by using CloudFormation StackSets.
  • C. Create a CloudFormation template that contains the AWS Config rules and remediation actions. Deploy the template from the delegated administrator account by using AWS Config.
  • D. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the delegated administrator account by using AWS Config.
Show Suggested Answer Hide Answer
Suggested Answer: D ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Certified101
Highly Voted 11 months, 1 week ago
Selected Answer: D
Option D. Create an AWS Config conformance pack that contains the AWS Config rules and remediation actions. Deploy the pack from the delegated administrator account by using AWS Config. Conformance packs are a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a region, and across an organization in AWS Organizations. These packs are created and managed from a central account, and help to establish a secure and compliant posture for your accounts. Non-administrator users can view the AWS Config rules within a conformance pack but they cannot modify them. AWS Config conformance packs are therefore a good fit for achieving the desired control and security policy. The other options, while potentially viable for deploying Config rules, do not inherently protect the baseline AWS Config rules from being modified by non-administrator users in the member accounts.
upvoted 6 times
...
Jeanphi72
Highly Voted 1 year, 1 month ago
Selected Answer: D
https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
upvoted 5 times
...
MalonJay
Most Recent 1 month, 1 week ago
The question says 'The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules' Does D account for that?
upvoted 1 times
...
thanhnv142
4 months, 1 week ago
Selected Answer: D
D is correct: <a common baseline of AWS Config rule> means conformance pack. <a member account as a delegated administrator account for AWS Config> means delegated admin A and C: no mentionf of conformance pack B: should deploy this using AWS config and in the delegated account, not the management account
upvoted 3 times
...
lunt
11 months, 2 weeks ago
Selected Answer: D
Not sure why some people are saying B. A= CFN cannot protect the config. B= Yes technically, where is the actual CONFIG management plane? Its in the delegated admin account, which is not the management account = delegated admin config account will have no idea of management account config. C= CFN cannot protect config. D= Yes. Delegated CONFIG account can config on orgz level & protect the rules. Only logical option.
upvoted 5 times
...
allen_devops
12 months ago
D is correct. Deploying via Cloudformation StackSet cannot make sure that the aws config itself is not modified by the member accounts. Deploy aws organizational rule will achieve both permission restriction and auto deployment https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html
upvoted 1 times
...
rhinozD
1 year ago
Selected Answer: D
D is correct https://aws.amazon.com/blogs/mt/deploying-conformance-packs-across-an-organization-with-automatic-remediation/
upvoted 3 times
...
Nickexams
1 year ago
option B is the most appropriate solution for centrally managing and enforcing the common baseline of AWS Config rules across all member accounts while ensuring that non-administrator users cannot modify the rules.
upvoted 1 times
...
stream3652
1 year ago
Can't you use D?
upvoted 2 times
...
2pk
1 year, 1 month ago
Selected Answer: B
i think its B, because AWS Config conformance packs are a way to package AWS Config rules and remediation actions into a single, shareable entity. With AWS Organizations, you can use CloudFormation StackSets to deploy conformance packs across all member accounts in your organization. This allows you to centrally manage the deployment of AWS Config rules and remediation actions across multiple AWS accounts. By deploying the conformance pack from the Organizations management account, you can ensure that non-administrator users cannot modify the baseline rules deployed to each member account.
upvoted 3 times
rhinozD
1 year ago
No, you just need the manager account to deploy the comformance pack to all organization.
upvoted 1 times
emupsx1
12 months ago
It's B https://catalog.us-east-1.prod.workshops.aws/workshops/7bb9fd8f-d049-4163-98e3-5c0cbb211f0c/en-US/enable-custom-conformance-pack-using-stacksets
upvoted 1 times
...
...
Jaguaroooo
5 months, 1 week ago
the question tells you there's a "delegated account". so your answer should be looking for that account in your answer choices as well.
upvoted 1 times
...
...
devnv
1 year, 1 month ago
D is the right answer
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...