Answer-first summary for fast verification
Answer: Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.
Option B is the correct choice because AWS Control Tower provides a list of strongly recommended guardrails that include governance rules and best practices for your AWS accounts. One of these guardrails can detect non-compliance, such as Amazon RDS DB instances that are not encrypted at rest. By enabling the appropriate guardrail from this list and applying it to the production Organizational Unit (OU), you ensure that the specified compliance checks are automatically enforced across all accounts within the production OU. This leverages built-in, managed policies in AWS Control Tower, simplifying governance and policy enforcement without needing to create custom rules or Service Control Policies (SCPs).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU. Which solution will meet this requirement?
A
Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.
B
Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.
C
Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.
D
Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.