AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
A DevOps engineer is tasked with implementing a consistent set of security measures across multiple AWS accounts organized under AWS Organizations. Each account is to be managed by separate teams with the AdministratorAccess policy. The requirement is to activate AWS CloudTrail and AWS Config in all AWS Regions for these accounts. While individual account administrators should not have the ability to alter or remove the foundational resources, they must be allowed to modify or remove their own CloudTrail trails and AWS Config rules. What is the most operationally efficient solution to achieve these security and administrative requirements?
A DevOps engineer is tasked with implementing a consistent set of security measures across multiple AWS accounts organized under AWS Organizations. Each account is to be managed by separate teams with the AdministratorAccess policy. The requirement is to activate AWS CloudTrail and AWS Config in all AWS Regions for these accounts. While individual account administrators should not have the ability to alter or remove the foundational resources, they must be allowed to modify or remove their own CloudTrail trails and AWS Config rules. What is the most operationally efficient solution to achieve these security and administrative requirements?
Explanation:
The correct answer is C. This approach ensures operational efficiency by centralizing the management of AWS Config via a designated management account and using AWS CloudFormation StackSets for deployment. AWS Config rules can be deployed across the organization, and a CloudTrail organization trail can be set up in the management account to collect logs from all accounts. The use of a Service Control Policy (SCP) prevents unauthorized modifications or deletions of the AWS Config recorders, ensuring baseline resources remain intact. Individual account administrators can still manage their own CloudTrail trails and AWS Config rules as required.