AWS Certified Solutions Architect – Associate (SAA-C03) — Question 789

A financial services company that runs on AWS has designed its security controls to meet industry standards. The industry standards include the National Institute of Standards and Technology (NIST) and the Payment Card Industry Data Security Standard (PCI DSS).

The company's third-party auditors need proof that the designed controls have been implemented and are functioning correctly. The company has hundreds of AWS accounts in a single organization in AWS Organizations. The company needs to monitor the current state of the controls across accounts.

Which solution will meet these requirements?

Answer options

• A. Designate one account as the Amazon Inspector delegated administrator account from the Organizations management account. Integrate Inspector with Organizations to discover and scan resources across all AWS accounts. Enable Inspector industry standards for NIST and PCI DSS.
• B. Designate one account as the Amazon GuardDuty delegated administrator account from the Organizations management account. In the designated GuardDuty administrator account, enable GuardDuty to protect all member accounts. Enable GuardDuty industry standards for NIST and PCI DSS.
• C. Configure an AWS CloudTrail organization trail in the Organizations management account. Designate one account as the compliance account. Enable CloudTrail security standards for NIST and PCI DSS in the compliance account.
• D. Designate one account as the AWS Security Hub delegated administrator account from the Organizations management account. In the designated Security Hub administrator account, enable Security Hub for all member accounts. Enable Security Hub standards for NIST and PCI DSS.

Correct answer: D

Explanation

AWS Security Hub is the designated service for security posture management and natively supports compliance standards such as PCI DSS and NIST SP 800-53. By setting up a delegated administrator account for Security Hub within AWS Organizations, the organization can aggregate and monitor compliance findings across all member accounts in a single dashboard. Other services like Amazon Inspector, Amazon GuardDuty, and AWS CloudTrail do not provide native compliance standard checks or framework mappings for NIST and PCI DSS.