AWS Certified Solutions Architect – Professional (SAP-C02) — Question 165

A company has a few AWS accounts for development and wants to move its production application to AWS. The company needs to enforce Amazon Elastic Block Store (Amazon EBS) encryption at rest current production accounts and future production accounts only. The company needs a solution that includes built-in blueprints and guardrails.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Use AWS CloudFormation StackSets to deploy AWS Config rules on production accounts.
• B. Create a new AWS Control Tower landing zone in an existing developer account. Create OUs for accounts. Add production and development accounts to production and development OUs, respectively.
• C. Create a new AWS Control Tower landing zone in the company’s management account. Add production and development accounts to production and development OUs. respectively.
• D. Invite existing accounts to join the organization in AWS Organizations. Create SCPs to ensure compliance.
• E. Create a guardrail from the management account to detect EBS encryption.
• F. Create a guardrail for the production OU to detect EBS encryption.

Correct answer: C, D, F

Explanation

The correct answer is C, D, F because establishing a new AWS Control Tower landing zone in the management account allows for the proper organization of accounts. Inviting existing accounts to AWS Organizations and implementing SCPs ensures compliance, and creating a guardrail for the production OU specifically monitors EBS encryption. The other options either do not meet the requirement of using the management account or do not target the production OU directly.