A company that uses AWS Organizations is migrating workloads to AWS. The company's applic…

Question

A company that uses AWS Organizations is migrating workloads to AWS. The company's application team determines that the workloads will use Amazon EC2 instances, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers. For each resource type, the company mandates that deployments must comply with the following requirements: • All EC2 instances must be launched from approved AWS accounts. • All DynamoDB tables must be provisioned with a standardized naming convention. • All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates. Which combination of steps should the application team take to meet these requirements? (Choose two.)

Accepted Answer

Correct answer: A, D. A. Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the template to be used specifically by the application AWS account. — D. Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met. — Option A is correct as it ensures that CloudFormation templates are created in a controlled environment and shared with the application account, enforcing compliance. Option D is also correct because Service Control Policies (SCPs) can effectively restrict the application AWS account from deploying resources that do not meet the compliance criteria. The other options either do not address all requirements or do not leverage the necessary AWS features for compliance management.

AWS Certified Security – Specialty (SCS-C02) — Question 173

Answer options

Correct answer: A, D

Explanation