A company's DevOps engineer manages an organization in AWS Organizations. The organizatio…

Question

A company's DevOps engineer manages an organization in AWS Organizations. The organization includes many accounts. The company needs all AWS CloudFormation stacks in production accounts to have termination protection enabled. Non-production accounts do not need termination protection. The company has designated a centralized account for AWS Config aggregation and has configured all accounts to support the use of CloudFormation and AWS Config. The company also has grouped all production accounts into an OU. Which solution will meet these requirements?

Accepted Answer

Correct answer: B. B. Create a CloudFormation template that deploys an AWS Config rule to detect stacks that do not have termination protection enabled. Add a remediation action to the rule to enable termination protection. Deploy the template to the OU of the production accounts by using CloudFormation StackSets. — Option B is correct because it directly addresses the requirement of enabling termination protection through a CloudFormation template and allows for deployment across the specific OU for production accounts. Option A lacks the deployment through StackSets, making it less suitable for the OU-wide application. Option C focuses on denying deletion actions, which does not enable termination protection, while Option D also does not fulfill the requirement since it blocks updates rather than ensuring termination protection.

AWS Certified DevOps Engineer – Professional — Question 147

Answer options

Correct answer: B

Explanation