ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 206 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 206
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack.

Which solution will meet this requirement?

  • A. Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS).
  • B. Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.
  • C. Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.
  • D. Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Chelseajcole at Feb. 7, 2024, 7:32 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ramdi1
Highly Voted 1 year, 4 months ago
Selected Answer: B
Proactive controls: Proactive controls are preventative measures that block actions violating defined policies before they occur. This ensures encryption gets applied automatically during S3 bucket creation within CloudFormation stacks. CloudFormation hooks: Hooks enable Control Tower to intercept and enforce policies on CloudFormation stack operations, making it ideal for enforcing encryption during resource creation. Multi-account environment: Since the requirement applies across all accounts, Control Tower's multi-account capabilities ensure consistent policy enforcement throughout the organization.
upvoted 5 times
Ramdi1
1 year, 4 months ago
The other options have limitations: A: While SCPs enforce policies, they react to actions instead of proactively preventing them. Additionally, denying s3:PutObject might be too restrictive as it can impact other legitimate operations. C: Detective controls monitor and report on existing resources, not preventing non-compliant creations. D: Config and SCPs combined address encryption checks and user limitations, but lack the direct integration with CloudFormation stacks crucial for enforcing during creation.
upvoted 1 times
...
...
thanhnv142
Highly Voted 1 year, 4 months ago
Selected Answer: B
B is correct: <AWS Control Tower> means we need to use the proactive control A: SCP s3:PutObject permission only deny action related to put object to S3, not when creating it B: Detective controls used only for monitoring C: correct D: This option can achive the goal of the question. However, it is way more complicated than B.
upvoted 5 times
...
jamesf
Most Recent 10 months, 4 weeks ago
Selected Answer: B
keywords: proactive
upvoted 3 times
...
Gomer
11 months, 3 weeks ago
Selected Answer: B
Here's the Control Tower proactive control: "[CT.S3.PR.10] Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key" https://docs.aws.amazon.com/controltower/latest/controlreference/s3-rules.html#ct-s3-pr-10-description
upvoted 4 times
...
Venki_dev
1 year ago
Selected Answer: B
Clearly answer is B , here is article that explains the same. https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/ Answer D with config rule also fits the bill (if no control tower), but since we have Control tower managing the accounts already its better to make use of the features that Control tower leverages
upvoted 2 times
...
dkp
1 year, 2 months ago
Selected Answer: B
Answer B
upvoted 3 times
...
fdoxxx
1 year, 2 months ago
Selected Answer: B
B is better than D...
upvoted 3 times
...
ogerber
1 year, 3 months ago
Selected Answer: B
B, 100%
upvoted 3 times
...
fdoxxx
1 year, 3 months ago
Selected Answer: D
D provides a solution that leverages AWS Organizations and AWS Config to enforce the requirement for AWS KMS encryption on all S3 buckets created through CloudFormation: AWS Config Organizational Rule: Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. This rule helps ensure that the encryption requirement is enforced. Options A, B, and C do not directly address the requirement for AWS KMS encryption on S3 buckets created through CloudFormation: Option A mentions using an SCP but focuses on denying s3:PutObject without the required encryption header. However, this approach doesn't ensure that the encryption is enforced through AWS KMS. Options B and C mention using AWS Control Tower with proactive or detective controls, but they don't specifically address the encryption requirement for S3 buckets.
upvoted 1 times
fdoxxx
1 year, 2 months ago
I am changing to B - Option B leverages AWS Control Tower, which is designed for managing multiple AWS accounts in a centralized and automated manner. By configuring and enabling proactive AWS Control Tower controls on all Organizational Units (OUs) with CloudFormation hooks, the company can ensure that all S3 buckets created within CloudFormation stacks adhere to the encryption requirement.
upvoted 2 times
...
...
Chelseajcole
1 year, 4 months ago
Maybe D
upvoted 1 times
Venki_dev
1 year ago
its B https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/
upvoted 1 times
...
Chelseajcole
1 year, 4 months ago
Because of AWS Config
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel