AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 66
A multinational company uses an organization in AWS Organizations to manage over 200 member accounts across multiple AWS Regions. The company must ensure that all AWS resources meet specific security requirements.
The company must not deploy any EC2 instances in the ap-southeast-2 Region. The company must completely block root user actions in all member accounts. The company must prevent any user from deleting AWS CloudTrail logs, including administrators.
The company requires a centrally managed solution that the company can automatically apply to all existing and future accounts.
Which solution will meet these requirements?
Answer options
- A. Create AWS Config rules with remediation actions in each account to detect policy violations. Implement IAM permissions boundaries for the account root users.
- B. Enable AWS Security Hub across the organization. Create custom security standards to enforce the security requirements. Use AWS CloudFormation StackSets to deploy the standards to all the accounts in the organization. Set up Security Hub automated remediation actions.
- C. Use AWS Control Tower for account governance. Configure Region deny controls. Use service control policies (SCPs) to restrict root user access.
- D. Configure AWS Firewall Manager with security policies to meet the security requirements. Use an AWS Config aggregator with organization-wide conformance packs to detect security policy violations.
Correct answer: C
Explanation
The correct answer is C because AWS Control Tower provides a comprehensive governance solution that includes the ability to configure Region deny controls and apply service control policies (SCPs), which can restrict root user access effectively. Options A and B do not provide a centralized approach for managing multiple accounts in the same way as Control Tower, while option D, although useful for monitoring, does not restrict root user actions or prevent EC2 deployments in the specified region.