AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 97

A company recently created a new AWS Control Tower landing zone in a new organization in AWS Organizations. The landing zone must be able to demonstrate compliance with the Center for Internet Security (CIS) Benchmarks for AWS Foundations.

The company’s security team wants to use AWS Security Hub to view compliance across all accounts. Only the security team can be allowed to view aggregated Security Hub findings. In addition, specific users must be able to view findings from their own accounts within the organization. All accounts must be enrolled in Security Hub after the accounts are created.

Which combination of steps will meet these requirements in the MOST automated way? (Choose three.)

Answer options

• A. Turn on trusted access for Security Hub in the organization’s management account. Create a new security account by using AWS Control Tower. Configure the new security account as the delegated administrator account for Security Hub. In the new security account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.
• B. Turn on trusted access for Security Hub in the organization’s management account. From the management account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.
• C. Create an AWS IAM Identity Center (AWS Single Sign-On) permission set that includes the required permissions. Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.
• D. Create an SCP that explicitly denies any user who is not on the security team from accessing Security Hub.
• E. In Security Hub, turn on automatic enablement.
• F. In the organization’s management account, create an Amazon EventBridge rule that reacts to the CreateManagedAccount event. Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hub. Configure the EventBridge rule to invoke the Lambda function.

Correct answer: A, C, E

Explanation

The correct steps A, C, and E ensure that Security Hub is properly configured for compliance monitoring while allowing the security team to manage access effectively. Step A establishes the necessary trusted access and configuration for standards, C sets up appropriate permissions for team members, and E ensures that all new accounts are automatically enrolled in Security Hub. Options B, D, and F do not fully meet the requirements or automate the necessary enrollment and access management processes.