AWS Certified Solutions Architect – Associate (SAA-C03) — Question 744

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or “*” in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The company has AWS Control Tower enabled in its organization in AWS Organizations.

Which solution will meet these requirements?

Answer options

• A. Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
• B. Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
• C. Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS Systems Manager Session Manager automation to delete a resource when it is not compliant.
• D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the actions lead to noncompliance.

Correct answer: A

Explanation

AWS Control Tower proactive controls use AWS CloudFormation Hooks to evaluate resources before they are deployed, allowing them to block the creation of non-compliant resources like EC2 instances with public IPs or IAM policies with '*' wildcards. Detective controls only identify non-compliant resources after deployment rather than blocking them, making them unsuitable for prevention. AWS Config and SCPs are either reactive solutions or incapable of inspecting specific CloudFormation template configurations to proactively block these deployments.