AWS Certified Solutions Architect – Professional (SAP-C02) — Question 62

A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.

Which solution will meet this requirement?

Answer options

• A. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.
• B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.
• C. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.
• D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.

Correct answer: B

Explanation

The correct answer is B because strongly recommended guardrails in AWS Control Tower are specifically designed to help enforce policies like encryption for RDS DB instances. Option A is incorrect because mandatory guardrails may not specifically cover the encryption requirement. Option C is not suitable as creating new mandatory guardrails is not the standard process for identifying existing issues. Option D is also incorrect as custom SCPs are not directly used for this specific monitoring task.