AWS Certified Security – Specialty (SCS-C02) — Question 216

A company has a multi-account strategy that uses an organization in AWS Organizations with all features enabled. The company has enabled trusted access for AWS Account Management. New accounts are provisioned through AWS Control Tower Account Factory.

The company must ensure that all new accounts in the organization become AWS Security Hub member accounts.

Which solution will meet these requirements with the LEAST development effort?

Answer options

• A. Enable Security Hub in the organization’s management account. Create an AWS Step Functions workflow. Create an Amazon EventBridge rule to invoke the workflow when a CreateAccount event occurs.
• B. Enable Security Hub in the organization’s management account. Wait for all new accounts to complete automatic onboarding.
• C. Enable Security Hub in the organization’s management account. Create an AWS Lambda function to enable Security Hub for new accounts. Invoke the Lambda function by using an AWS Control Tower lifecycle event that occurs when a new account is provisioned.
• D. Use the organization’s management account to designate a Security Hub delegated administrator account. In the delegated administrator account, create a configuration policy to enable Security Hub. Associate the configuration policy with the organization root.

Correct answer: D

Explanation

The correct answer is D because designating a delegated administrator account allows for the centralized management of Security Hub across all accounts with minimal effort. Options A and C involve additional development work with Step Functions or Lambda, while B may lead to delays in onboarding new accounts to Security Hub.