AWS Certified Security – Specialty (SCS-C02) — Question 92

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume.

Which solution will meet these requirements?

Answer options

• A. Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline.
• B. Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe tile CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config.
• C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.
• D. Create rule sets as SCPs. Integrate the SCPs as a part of validation control in a phase of the CI/CD process.

Correct answer: C

Explanation

The correct answer is C because AWS CloudFormation Guard allows for the creation of rules that can validate CloudFormation templates against security policies before deployment. Option A does not enforce policy checks during deployment, while Option B focuses on notifications rather than preventing violations. Option D involves Service Control Policies (SCPs), which are not directly applicable to the validation of CloudFormation templates in a CI/CD pipeline.