AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company utilizes AWS Organizations to manage multiple AWS accounts centrally. They have activated AWS Config across all member accounts via AWS CloudFormation StackSets and established trusted access for AWS Config within the Organizations framework. Furthermore, they have appointed a specific member account as the delegated administrator for AWS Config. The company requires a new security policy to be implemented by a DevOps engineer. This policy mandates that all existing and future member accounts must comply with a uniform set of AWS Config rules that include remediation actions, which are to be controlled from a single, central account. It is also a requirement that non-administrator users, who may have access to these member accounts, are prevented from altering the established baseline of AWS Config rules. Which solution will effectively fulfill these requirements?
Explanation:
The correct answer is D. Creating an AWS Config conformance pack that contains the AWS Config rules and remediation actions and deploying the pack from the delegated administrator account using AWS Config ensures that the common baseline rules are managed centrally and cannot be modified by non-administrative users. Option D leverages the delegated administrator account for AWS Config, which is designed to centrally manage and enforce compliance across all member accounts in AWS Organizations. This approach offers more control and security compared to the other options and meets the requirement of preventing non-administrative users from altering the AWS Config rules.