Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 168 discussion

When you enable controls on an organizational unit (OU) that is registered with AWS Control Tower, preventive controls apply to all member accounts under the OU, enrolled and unenrolled. Detective controls apply to enrolled accounts only. https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption AWS is now transitioning the previous term 'guardrail' new term 'control'.

I mean E is technically correct. The guardrail is created FROM the management account in Control Tower. Even tho I would select F as well during the exam

C, D, F are the right choices.

C, D, F

Basically order is DCF of the setup

CDF for sure

CEF A ) AWS Config not enforce rule B) Why developer account ? is incorrect is management account C ) Sounds good D) SCP for enforce sounds good E ) EBS encryption in managament account ? not only required in production F ) encryption in production OU sounds great

https://www.examtopics.com/discussions/amazon/view/97939-exam-aws-certified-solutions-architect-professional-sap-c02/

https://www.examtopics.com/discussions/amazon/view/97939-exam-aws-certified-solutions-architect-professional-sap-c02/

C because we want to use Control Tower A and C because we're going to use Controls and Config Not D because Control Tower is a parallel product to Organisations and it doesn't use SCPs although it can import existing OUs.

Answer : C,D,F

I think the answer is ACF. I don't think you need D once you have C. Also, control tower uses config rules to set up guardrails. See the link below: https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#:~:text=isn%27t%20enabled%20on%20any%20OUs.-,The%20artifact%20for%20this%20control%20is%20the%20following%20AWS%20Config%20rule.,-AWSTemplateFormatVersion%3A%202010%2D09%2D09

CDF seems the best choice

B. Create a new AWS Control Tower landing zone in an existing developer account. Create OUs for accounts. Add production and development accounts to production and development OUs, respectively. D. Invite existing accounts to join the organization in AWS Organizations. Create SCPs to ensure compliance. F. Create a control for the production OU to detect EBS encryption. By creating a new AWS Control Tower landing zone, the company can create OUs for accounts and add them to the appropriate production and development OUs. This will enable centralized governance and enforce consistent policies and best practices. The company can then invite existing accounts to join the organization in AWS Organizations and create SCPs to ensure compliance. Finally, the company can create a control for the production OU to detect EBS encryption, ensuring that encryption at rest is enforced in production accounts.

Answer is CDF https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption

In F, guardrails are proposed to detect. Guardrails don't detect but prevent.