AWS Certified Solutions Architect – Professional (SAP-C02) — Question 413

A company creates an AWS Control Tower landing zone to manage and govern a multi-account AWS environment. The company's security team will deploy preventive controls and detective controls to monitor AWS services across all the accounts. The security team needs a centralized view of the security state of all the accounts.

Which solution will meet these requirements?

Answer options

• A. From the AWS Control Tower management account, use AWS CloudFormation StackSets to deploy an AWS Config conformance pack to all accounts in the organization.
• B. Enable Amazon Detective for the organization in AWS Organizations. Designate one AWS account as the delegated administrator for Detective.
• C. From the AWS Control Tower management account, deploy an AWS CloudFormation stack set that uses the automatic deployment option to enable Amazon Detective for the organization.
• D. Enable AWS Security Hub for the organization in AWS Organizations. Designate one AWS account as the delegated administrator for Security Hub.

Correct answer: D

Explanation

AWS Security Hub aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services across accounts, making it the ideal tool for a centralized security posture view. Enabling Security Hub via AWS Organizations and designating a delegated administrator is the standard AWS best practice for multi-account governance. While AWS Config conformance packs (Option A) manage compliance rules, and Amazon Detective (Options B and C) assists with security investigations, neither provides the comprehensive security state dashboard that Security Hub offers.