AWS Certified Security – Specialty (SCS-C02) — Question 257
A company needs to securely deploy resources and workloads across AWS accounts. The accounts are in an organization in AWS Organizations.
The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requirements and specific guidelines for resource and workload configuration and creation.
Which solution will meet these requirements?
Answer options
- A. Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation.
- B. Use an AWS CodePipeline pipeline to test and deploy IaC defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs.
- C. Create an IAM permissions boundary to prevent the creation of misconfigured resources through CloudFormation and to enforce the tagging requirements. Apply the permissions boundary to all account roles. Use AWS Config rules to identify existing resources that are in a misconfigured state.
- D. Use AWS Service Catalog with CloudFormation to manage access to approved architecture configurations. Provision Service Catalog portfolios to the accounts across the organization. Use AWS Config rules to enforce the tagging requirements and other resource configuration policies across accounts.
Correct answer: D
Explanation
Option D is correct because AWS Service Catalog allows for the management of approved architecture configurations and ensures compliance with tagging requirements through AWS Config rules. The other options, while they may provide some level of control, do not meet the comprehensive requirements of securely deploying resources across multiple accounts with enforced guidelines as effectively as using AWS Service Catalog does.