AWS Certified DevOps Engineer – Professional — Question 114

A company requires its internal business teams to launch resources through pre-approved AWS CloudFormation templates only. The security team requires automated monitoring when resources drift from their expected state.

Which strategy should be used to meet these requirements?

Answer options

• A. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
• B. Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
• C. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
• D. Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.

Correct answer: C

Explanation

The correct answer is C because it allows the use of AWS Service Catalog to enforce compliance with pre-approved templates, while AWS Config rules enable automated monitoring of resource drift. Option A and B do not enforce the use of pre-approved templates through Service Catalog, and option D lacks the use of AWS Config rules for drift detection.