AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 90

A company is using AWS Organizations to centrally manage its AWS accounts. The company has turned on AWS Config in each member account by using AWS CloudFormation StackSets. The company has configured trusted access in Organizations for AWS Config and has configured a member account as a delegated administrator account for AWS Config.

A DevOps engineer needs to implement a new security policy. The policy must require all current and future AWS member accounts to use a common baseline of AWS Config rules that contain remediation actions that are managed from a central account. Non-administrator users who can access member accounts must not be able to modify this common baseline of AWS Config rules that are deployed into each member account.

Which solution will meet these requirements?

Answer options

Correct answer: D

Explanation

The correct answer is D because deploying an AWS Config conformance pack from the delegated administrator account ensures that the rules and remediation actions are centrally managed while preventing modifications by non-administrator users. Options A and B are incorrect as they rely on the management account for deployment, which does not meet the requirement of preventing unauthorized changes in member accounts. Option C is also incorrect because it uses a CloudFormation template, which does not provide the centralized management and enforcement features of a conformance pack.