AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 372
A company is implementing a standardized security baseline across its AWS accounts. The accounts are in an organization in AWS Organizations.
The company must deploy consistent IAM roles and policies across all existing and future accounts in the organization.
Which solution will meet these requirements with the MOST operational efficiency?
Answer options
- A. Enable AWS Control Tower in the management account. Configure AWS Control Tower Account Factory customization to deploy the required IAM roles and policies to all accounts.
- B. Activate trusted access for AWS CloudFormation StackSets in Organizations. In the management account, create a stack set that has service-managed permissions to deploy the required IAM roles and policies to all accounts. Enable automatic deployment for the stack set.
- C. In each member account, create IAM roles that have permissions to create and manage resources. In the management account, create an AWS CloudFormation stack set that has self-managed permissions to deploy the required IAM roles and policies to all accounts. Enable automatic deployment for the stack set.
- D. In the management account, create an AWS CodePipeline pipeline. Configure the pipeline to use AWS CloudFormation to automate the deployment of the required IAM roles and policies. Set up cross-account IAM roles to allow CodePipeline to deploy resources in the member accounts.
Correct answer: B
Explanation
Using AWS CloudFormation StackSets with service-managed permissions and trusted access enabled in AWS Organizations allows for automatic deployment of templates to all current and future accounts with minimal administrative effort. Self-managed permissions (Option C) require manual setup of prerequisite IAM roles in each target account, which is less operationally efficient. Setting up AWS CodePipeline (Option D) or AWS Control Tower Account Factory customization (Option A) introduces unnecessary complexity and higher operational overhead compared to a native service-managed StackSet.