AWS Certified Solutions Architect Professional SAP-C02 Practice Question
An enterprise uses AWS Organizations to manage more than 500 AWS accounts. The security team has created a dedicated security-tooling account in the us-east-1 Region and must meet the following requirements:
AWS Security Hub must be enabled in every current and future account in all Regions.
All findings must be visible only in the security-tooling account.
No other account may designate itself as the Security Hub delegated administrator. The solution must follow the principle of least privilege and require minimal ongoing maintenance. Which approach BEST meets these requirements?
From the organization management account, run securityhub enable-organization-admin-account in each enabled Region to set the security-tooling account as delegated administrator. In the delegated administrator account, run securityhub update-organization-configuration with AutoEnable=true and enable the default standards for all Regions. Attach an SCP at the organization root that denies securityhub:EnableOrganizationAdminAccount to every account except the management account.
Use a CloudFormation StackSet to deploy a template that enables Security Hub and its default standards in every current account and Region; configure the StackSet for automatic deployment to new accounts.
Enable Security Hub through AWS Control Tower guardrails when the landing zone is set up. Rely on the guardrails to enable Security Hub in new accounts and prevent changes to the delegated administrator.
Enable Security Hub only in the security-tooling account and create a cross-Region finding aggregator. In each member account, add an EventBridge rule that forwards Security Hub findings to the aggregator.
Running enable-organization-admin-account from the organization management account designates the security-tooling account as the Security Hub delegated administrator in the current Region; repeating the call (or using central-configuration) in every active Region ensures that the same account is admin everywhere. In the delegated administrator account, update-organization-configuration with AutoEnable=true (and the default standards setting) automatically adds every existing and future member account as a Security Hub member in every Region, so findings flow to the delegated administrator without additional setup. Finally, an SCP applied at the root that explicitly denies securityhub:EnableOrganizationAdminAccount (except for the management account) blocks any other account from changing the delegated administrator. This combination satisfies all three requirements with a single point of administration and no per-account maintenance. The other options either rely on manual EventBridge forwarding, require per-account StackSet deployments, or depend on Control Tower guardrails that neither auto-enable Security Hub in every Region nor prevent other accounts from changing the administrator.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the enable-organization-admin-account command in this solution?
Open an interactive chat with Bash
What does AutoEnable=true do in the update-organization-configuration command?
Open an interactive chat with Bash
How does the Service Control Policy (SCP) prevent unauthorized changes to the delegated administrator?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access