ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 153 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 153
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A DevOps engineer needs to apply a core set of security controls to an existing set of AWS accounts. The accounts are in an organization in AWS Organizations. Individual teams will administer individual accounts by using the AdministratorAccess AWS managed policy. For all accounts, AWS CloudTrail and AWS Config must be turned on in all available AWS Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Config rules.

Which solution will meet these requirements in the MOST operationally efficient way?

  • A. Create an AWS CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization's management account by using CloudFormation StackSets. Set the stack policy to deny Update Delete actions.
  • B. Enable AWS Control Tower. Enroll the existing accounts in AWS Control Tower. Grant the individual account administrators access to CloudTrail and AWS Config.
  • C. Designate an AWS Config management account. Create AWS Config recorders in all accounts by using AWS CloudFormation StackSets. Deploy AWS Config rules to the organization by using the AWS Config management account. Create a CloudTrail organization trail in the organization's management account. Deny modification or deletion of the AWS Config recorders by using an SCP.
  • D. Create an AWS CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization's management account by using CloudFormation StackSets. Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by devops7 at Jan. 14, 2023, 9:57 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ducnt134
1 year, 5 months ago
Selected Answer: D
Between C and D. C missing prevent cloudtrail resource deletion. D is efficient and do not prevent individual account from modify trails and config rules but prevent deletion of their resources.
upvoted 1 times
vn_thanhtung
1 year ago
but SCP not support principal => D not correct
upvoted 2 times
...
...
Dgix
1 year, 7 months ago
B is the most _operationally_efficient.
upvoted 1 times
...
lunt
1 year, 9 months ago
Selected Answer: D
So much discussion. Let's break this down. D=Create CFN SSets. SCP prevent CT + Config unless admin in mgmt acct. Does not meet req of local admin being able to edit their own CT/Config settings. C=Config delegated = protected Orgz Config. CT via mgmt acct = protected CT config. Both CT & Config protected. Deny Config recorders - fine. C is the only viable answer to meet all the reqs. Forget the most efficient way - answers only give you one way anyway. Question misdirect is option D.
upvoted 3 times
lunt
1 year, 9 months ago
Voted D by accident - should be C - sry
upvoted 2 times
...
...
easytoo
2 years ago
most Operationally Efficient is D.
upvoted 1 times
...
Nila_Cloud_PRO
2 years, 2 months ago
SCP Prevents users from disabling AWS Config or changing its rules so it should be C
upvoted 1 times
...
Bulti
2 years, 3 months ago
Selected Answer: D
The answer is D. It's more efficient to use SCP than stack policies to deny permissions to update or delete resources that are provisioned using CloudFormation StackSets. A is also possible but create more overhead and is not a best practice.
upvoted 2 times
...
Christina666
2 years, 3 months ago
Selected Answer: D
I chose D because only D mentioned the individual admin account
upvoted 1 times
...
saeidp
2 years, 3 months ago
Selected Answer: C
C for me
upvoted 2 times
saeidp
2 years, 3 months ago
Stacksets enables aws config in all accounts Organizational Trail add trail to all acounts and can not be deleted by accounts SCP prevents deleting aws config
upvoted 2 times
saeidp
2 years, 3 months ago
SCP doesn't apply to management account
upvoted 2 times
saeidp
2 years, 2 months ago
Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account Is not correct because SCP doesn't apply to management account. You don't need to bring it in SCP
upvoted 1 times
...
...
...
...
Fatoch
2 years, 3 months ago
I think it is D for me
upvoted 1 times
...
Fatoch
2 years, 3 months ago
is it not A? Because you attach rule restriction of deny or delete
upvoted 1 times
...
Dimidrol
2 years, 3 months ago
Selected Answer: D
D for me
upvoted 2 times
...
Fatoch
2 years, 4 months ago
So is it B? For me B too
upvoted 1 times
...
devops7
2 years, 4 months ago
Also, C is missing the deny "edit or delete their own CloudTrail trails"
upvoted 1 times
...
devops7
2 years, 4 months ago
B sounds wrong. I don't think Control Tower can "Grant the individual account administrators access to CloudTrail and AWS Config" C is too complicated and not operationally efficient way So, between A & D I pick D because it sounds like a complete solution and is operationally efficient.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago