A company uses AWS Organizations to manage a multi-account AWS environment in a single AW…

Question

A company uses AWS Organizations to manage a multi-account AWS environment in a single AWS Region. The organization's management account is named management-01. The company has turned on AWS Config in all accounts in the organization. The company has designated an account named security-01 as the delegated administrator for AWS Config.
All accounts report the compliance status of each account's rules to the AWS Config delegated administrator account by using an AWS Config aggregator. Each account administrator can configure and manage the account's own AWS Config rules to handle each account's unique compliance requirements.
A security engineer needs to implement a solution to automatically deploy a set of 10 AWS Config rules to all existing and future AWS accounts in the organization. The solution must turn on AWS Config automatically during account creation.
Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: B, E. B. Create a conformance pack that contains the 10 required AWS Config rules. Deploy the conformance pack from the security-01 account. — E. Create an AWS CloudFormation template that will activate AWS Config. Deploy the template by using CloudFormation StackSets in the management-01 account. — The correct steps are B and E. Option B allows for the deployment of a conformance pack containing the required AWS Config rules, which is essential for compliance management. Option E ensures that AWS Config is activated during the account creation phase through a CloudFormation template deployed from the management account, which is necessary for automatic configuration across all accounts. The other options either do not enable AWS Config correctly or do not utilize the appropriate account for deployment.

AWS Certified Security – Specialty (SCS-C02) — Question 58

Answer options

Correct answer: B, E

Explanation