AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 312
A company has an organization in AWS Organizations with many Oils that contain many AWS accounts. The organization has a dedicated delegated administrator AWS account.
The company needs the accounts in one OU to have server-side encryption enforced for all Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues that are created or updated on an AWS CloudFormation stack.
Which solution will enforce this policy before a CloudFormation stack operation in the accounts of this OU?
Answer options
- A. Activate trusted access to CloudFormation StackSets. Create a CloudFormation Hook that enforces server-side encryption on EBS volumes and SQS queues. Deploy the Hook across the accounts in the OU by using StackSets.
- B. Set up AWS Config in all the accounts in the OU. Use AWS Systems Manager to deploy AWS Config rules that enforce server-side encryption for EBS volumes and SQS queues across the accounts in the OU.
- C. Write an SCP to deny the creation of EBS volumes and SQS queues unless the EBS volumes and SQS queues have server-side encryption. Attach the SCP to the OU.
- D. Create an AWS Lambda function in the delegated administrator account that checks whether server-side encryption is enforced for EBS volumes and SQS queues. Create an IAM role to provide the Lambda function access to the accounts in the OU.
Correct answer: A
Explanation
AWS CloudFormation Hooks are designed specifically to inspect and validate resource configurations before any provisioning action occurs during a stack operation, making it the ideal solution to enforce compliance proactively. Deploying this Hook using CloudFormation StackSets allows the delegated administrator to systematically distribute the enforcement policy across all accounts in the designated OU. Other approaches like AWS Config or Lambda functions are reactive rather than preventive, and SCPs do not integrate natively with the CloudFormation deployment lifecycle to evaluate configurations before stack execution.