AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 179

A company needs to ensure that flow logs remain configured for all existing and new VPCs in its AWS account. The company uses an AWS CloudFormation stack to manage its VPCs. The company needs a solution that will work for any VPCs that any IAM user creates.

Which solution will meet these requirements?

Answer options

• A. Add the AWS::EC2::FlowLog resource to the CloudFormation stack that creates the VPCs.
• B. Create an organization in AWS Organizations. Add the company's AWS account to the organization. Create an SCP to prevent users from modifying VPC flow logs.
• C. Turn on AWS Config. Create an AWS Config rule to check whether VPC flow logs are turned on. Configure automatic remediation to turn on VPC flow logs.
• D. Create an IAM policy to deny the use of API calls for VPC flow logs. Attach the IAM policy to all IAM users.

Correct answer: C

Explanation

The correct answer is C because enabling AWS Config with a rule for VPC flow logs allows for continuous compliance checking and automatic remediation, ensuring that any VPC created will have flow logs enabled. Options A and B do not provide a solution that applies universally to all IAM users creating VPCs, while D restricts API calls but does not ensure flow logs are enabled for new VPCs.