AWS Certified Security – Specialty — Question 437

A company is using AWS Organizations with all features enabled. The company has an AWS management account under an organization's root and a small number of AWS accounts under a child OU. The company expects to grow by more than 1,000 AWS accounts in the next year.

The company wants to enforce a policy that disallows any configuration changes to AWS Config settings in all AWS Organizations member accounts automatically when the company creates member accounts. The company will enforce this policy on all existing accounts and on any future AWS accounts that the company creates. The company also wants a centralized view of the compliance status of all accounts.

Which solution will meet these requirements?

Answer options

• A. Configure AWS Config with trusted access in the Organizations management account.
• B. Configure AWS Control Tower to extend governance to the organization. Enroll Organizations member accounts.
• C. Use AWS Config to review the enforcement compliance of each AWS account.
• D. Create an SCP that denies access to all AWS Config API actions. Apply the SCP to the organization's root.

Correct answer: B

Explanation

AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment at scale, automatically applying guardrails (such as preventing changes to AWS Config) to newly provisioned accounts and offering a centralized dashboard for compliance. Relying solely on an SCP that denies all AWS Config API actions (Option D) would prevent AWS Config from operating correctly rather than just securing its configuration. Option A and Option C do not provide the automated guardrails and centralized governance required for massive scale.