Exam AWS Certified Security - Specialty topic 1 question 480 discussion

It's easy with SCP, but the questions ask also for a Compliance view, that is given from Control Tower. When you enable CT you will deploy AWS Config resource automatically and Guardrails SCPs that DENY config manipulations. I think is B because there isn't a CUSTOM configuration in config in the question, so I think is the default and as default I think Control Tower is the best answer. If the question said "Custom resource" I totally would have gone with D.

The company also wants a centralized view of the compliance status of all accounts. - only Control Tower will provide that

Answer A: Multi-account, multi-region data aggregation in AWS Config enables you to aggregate AWS Config data from multiple accounts and AWS Regions into a single account. Multi-account, multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise. https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html

This is B because the question also asked for a centralized view of the compliance status of all accounts. Control Tower provides this to extend the governance of the organization. You can watch the YouTube video for more information - https://youtu.be/CwRy0t8nfgM

Based on the Question that states all of the Organization features have been enabled which would include what A is proposing then D seems like the most reasonable answer. Also A doesn't disallow changes to AWS Config in member accounts. For those that are saying B I would love to know how you would implement this in Control Tower.

A should do this

/The company also wants a centralized view of the compliance status of all accounts/ If this cant be done using SCP, then the answer has to be B with the Control tower

B for sure

D does not take in account the last sentence " a centralized view of the compliance status of all accounts". "Multi-account, multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise." https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html "Deploy a common set of AWS Config rules across all accounts and specify accounts where AWS Config rules should not be created." https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html

D "SCPs affect only member accounts in the organization. They have no effect on users or roles in the management account." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

The solution that will meet the company's requirements is option D: Create an SCP that denies access to all AWS Config API actions and apply the SCP to the organization's root. By creating a Service Control Policy (SCP) and applying it to the organization's root, you can effectively control and restrict access to AWS Config API actions across all accounts within the organization. This ensures that no configuration changes can be made to AWS Config settings in any member account, both existing and future accounts created by the company. Additionally, using an SCP at the organization's root level provides centralized control and enforcement of the policy, allowing you to manage and monitor compliance status across all accounts within the organization. This gives the company the desired centralized view of the compliance status of all accounts.

Service Control Policies (SCP) is needed for this case.