ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 161 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 161
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company's DevOps engineer manages an organization in AWS Organizations. The organization includes many accounts. The company needs all AWS CloudFormation stacks in production accounts to have termination protection enabled. Non-production accounts do not need termination protection.

The company has designated a centralized account for AWS Config aggregation and has configured all accounts to support the use of CloudFormation and AWS Config. The company also has grouped all production accounts into an OU.

Which solution will meet these requirements?

  • A. Create an AWS Config rule to detect stacks that do not have termination protection enabled. Add a remediation action to the rule to enable termination protection. Deploy the rule across the organization by using the PutOrganizationConfigRule API operation.
  • B. Create a CloudFormation template that deploys an AWS Config rule to detect stacks that do not have termination protection enabled. Add a remediation action to the rule to enable termination protection. Deploy the template to the OU of the production accounts by using CloudFormation StackSets.
  • C. Create an SCP that denies cloudformation:DeleteStack actions. Apply the SCP to the OU of the production accounts by using CloudFormation StackSets.
  • D. Create a CloudFormation stack policy that denies Update:Delete actions. Apply the policy to the OU of the production accounts by using CloudFormation StackSets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Oleg_gol at Jan. 15, 2023, 3:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
asfsdfsdf
Highly Voted 2 years, 1 month ago
Selected Answer: B
A - is wrong if you put this across the organization it will also impact non-prod accounts C - might work but it denies on organization level and not enabling termination protection - also how can you apply the SCP by using cloudformation stackssets? you apply it via organizations D- how do you apply a cloudformation a new stack policy to other stacks using stacksset? you cant, you need to update current ones. B- the only valid answer as a custom config rule can be created and deployed using stacksset to an OU.
upvoted 5 times
...
einn
Most Recent 2 years, 1 month ago
Selected Answer: B
Create a custom config rule to detect the stacks that don't enable the termination protection. In remediation actions to make the changes (enable it).
upvoted 1 times
...
LoveToronto
2 years, 2 months ago
C is the answer
upvoted 1 times
...
LoveToronto
2 years, 2 months ago
C is the right answer. B is incorrect because there for no Config rule StackSets that can detect Termination Protection.
upvoted 1 times
...
BelloMio
2 years, 2 months ago
A is wrong as this will detect stacks from the whole organization and apply remediation actions to all accounts, not just production accounts B is correct C is wrong as we want to enable terminate protection, we don't want to prevent the deletion of the stacks for good. D does not make sense
upvoted 2 times
BelloMio
2 years, 2 months ago
To the people saying B is incorrect as there is no rule for termination protection, I guess it just means it must be a lambda rule and not aws managed.
upvoted 1 times
...
...
Piccaso
2 years, 2 months ago
Selected Answer: B
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html
upvoted 2 times
...
DerekKey
2 years, 3 months ago
Selected Answer: A
C & D - wrong - company wants to -->enable<-- termination protection B - wrong - there are only two AWS Config rules for cloud formation: cloudformation-stack-drift-detection-check and cloudformation-stack-notification-check A - my choice - you have to create a rule (with Guard) and then deploy it - PutOrganizationConfigRule can be done with aws cli - it allows you to exclude accounts that you don't want to target (--excluded-accounts)
upvoted 3 times
DerekKey
2 years, 3 months ago
There is a difference between SCP policy and termination protection. Termination protection will disregard the delete request even if you have permission to do it. You have to disable protection to be able to delete CF.
upvoted 1 times
...
...
Bulti
2 years, 3 months ago
Selected Answer: C
C is the right answer. B is incorrect because there for no Config rule StackSets that can detect Termination Protection.
upvoted 3 times
Bulti
2 years, 3 months ago
A could have been a potential choice considering we can create custom Config rules using Lambda even if AWS config rule is not available for CF termiation protection. However it states calling the PutOrganizationConfigRule API across the entire organization but we don't want Termination protection in the Non-Prod accounts. So I will still go with C.
upvoted 3 times
...
...
Goksori
2 years, 3 months ago
Selected Answer: B
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html
upvoted 2 times
saeidp
2 years, 3 months ago
aws config rule?
upvoted 1 times
...
...
saeidp
2 years, 3 months ago
Selected Answer: C
It seems there are no config rules for cloudformation terminate protection Then C is the best
upvoted 2 times
...
saeidp
2 years, 3 months ago
Selected Answer: B
I'll go with B
upvoted 1 times
saeidp
2 years, 3 months ago
It seems there are no config rules for cloudformation terminate protection Then C is the best
upvoted 1 times
...
...
Oleg_gol
2 years, 3 months ago
Selected Answer: C
i vote C
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago