AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company uses AWS Organizations to manage hundreds of AWS accounts. The security team wants to enforce a standardized set of secure configurations for Amazon S3 buckets across all existing and future accounts within specific Organizational Units (OUs). The solution must centrally manage the deployment of these configurations, automatically apply them to new accounts added to the OUs, and provide a mechanism to detect deviations from the deployed baseline. Which Infrastructure as Code (IaC) approach is the most effective and scalable for meeting these requirements?
Use AWS CloudFormation StackSets with service-managed permissions. Define the standard S3 bucket configuration in a template and create a stack set that targets specific OUs with automatic deployment enabled. Periodically run drift detection on the stack set to identify unauthorized changes.
Deploy an AWS Config rule and an associated SSM Automation remediation document to all accounts. The rule will detect S3 buckets that do not conform to the standard, and the remediation action will automatically modify the bucket configuration to be compliant.
Write an AWS Lambda function in the management account that uses the AWS SDK to create the standard S3 buckets in all member accounts. Schedule the function to run periodically to check for and revert any configuration changes.
Establish a CI/CD pipeline that iterates through a list of all member accounts and executes an aws cloudformation deploy command in each account using a standard template. Manually update the account list and re-run the pipeline when new accounts are created.
The correct approach is to use AWS CloudFormation StackSets with service-managed permissions. CloudFormation StackSets are designed to deploy stacks across multiple AWS accounts and Regions in a single operation. When used with service-managed permissions in an AWS Organization, you can target entire OUs. This solution allows for automatic deployment to new accounts added to the target OUs, fulfilling a key requirement. Furthermore, StackSets have a built-in drift detection feature, which allows you to identify resources that have been altered outside of CloudFormation, thus detecting deviations from the standard baseline.
Incorrect options are:
Deploying individual CloudFormation templates via a CI/CD pipeline is less scalable. It lacks the centralized management of StackSets and does not automatically handle the onboarding of new accounts; a manual process would be needed to trigger the pipeline for each new account.
Using an AWS Lambda function with the AWS SDK to create and manage the buckets is an imperative, custom-coded solution. This approach is more complex to build and maintain than a declarative IaC solution like CloudFormation. It would require custom logic for state management, idempotency, and drift checking, all of which are native features of CloudFormation StackSets.
Using only AWS Config with remediation actions is a reactive approach focused on compliance and governance, not initial resource provisioning. While it can detect and fix non-compliant resources, it does not handle the initial, standardized deployment of the S3 buckets across the organization. The primary goal is to provision resources, which is the main function of CloudFormation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are AWS CloudFormation StackSets and how do they work?
Open an interactive chat with Bash
How do AWS CloudFormation StackSets compare to CI/CD pipelines for multi-account deployments?
Open an interactive chat with Bash
What is drift detection in AWS CloudFormation, and why is it important?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access