ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 321 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 321
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company has an organization in AWS Organizations with many Oils that contain many AWS accounts. The organization has a dedicated delegated administrator AWS account.

The company needs the accounts in one OU to have server-side encryption enforced for all Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues that are created or updated on an AWS CloudFormation stack.

Which solution will enforce this policy before a CloudFormation stack operation in the accounts of this OU?

  • A. Activate trusted access to CloudFormation StackSets. Create a CloudFormation Hook that enforces server-side encryption on EBS volumes and SQS queues. Deploy the Hook across the accounts in the OU by using StackSets.
  • B. Set up AWS Config in all the accounts in the OU. Use AWS Systems Manager to deploy AWS Config rules that enforce server-side encryption for EBS volumes and SQS queues across the accounts in the OU.
  • C. Write an SCP to deny the creation of EBS volumes and SQS queues unless the EBS volumes and SQS queues have server-side encryption. Attach the SCP to the OU.
  • D. Create an AWS Lambda function in the delegated administrator account that checks whether server-side encryption is enforced for EBS volumes and SQS queues. Create an IAM role to provide the Lambda function access to the accounts in the OU.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by f4b18ba at Nov. 22, 2024, 8:48 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rrodriguezmarulanda
1 week, 5 days ago
Selected Answer: C
SCP will deny the creation of those resources if are not encrypted
upvoted 2 times
...
Srikantha
4 months, 2 weeks ago
Selected Answer: A
The company wants to enforce encryption at resource creation time before a CloudFormation stack operation is allowed. The best way to do that is by using CloudFormation Hooks, which can validate or block stack operations pre-deployment based on custom logic. CloudFormation Hooks allow you to enforce pre-provisioning checks. Hooks can block stack creations or updates that don’t meet compliance (e.g., unencrypted EBS volumes or SQS queues). You can deploy the Hook organization-wide using CloudFormation StackSets with trusted access enabled. This provides automated, consistent enforcement across accounts in an OU.
upvoted 1 times
...
tubtab
7 months, 4 weeks ago
Selected Answer: A
KEYWORD enforce this policy before a CloudFormation stack operation
upvoted 4 times
...
Ky_24
8 months, 1 week ago
Selected Answer: A
• CloudFormation StackSets allows you to deploy a CloudFormation template across multiple AWS accounts and regions in your organization. By enabling trusted access to CloudFormation StackSets, you can manage resources and apply policies uniformly across multiple accounts within the OU. • A CloudFormation Hook is a way to enforce specific policies or checks during stack operations. In this case, you can create a Hook to ensure that all EBS volumes and SQS queues created or updated in the CloudFormation stack have server-side encryption enabled. • The StackSet and Hook can be deployed across all accounts in the specified OU, ensuring that server-side encryption is automatically enforced before any stack operation proceeds, thus satisfying the company’s policy.
upvoted 4 times
...
Changwha
9 months ago
Selected Answer: A
The answer is A
upvoted 4 times
...
f4b18ba
9 months ago
Selected Answer: A
CloudFormation Hooks allow you to intercept stack operations and perform validations or enforce policies before resources are created or updated. Develop a CloudFormation Hook that checks whether EBS volumes and SQS queues in the CloudFormation templates have SSE enabled. Use CloudFormation StackSets with trusted access to deploy the Hook across all accounts in the OU. The Hook will validate templates and prevent non-compliant resources from being created or updated during stack operations. Applies only to resources managed via CloudFormation, aligning with the company's requirement. Centralized Deployment: StackSets allow you to deploy the Hook across multiple accounts and regions efficiently. Hooks do not interfere with non-CloudFormation operations, limiting the scope to what's required.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel