AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A company utilizes infrastructure as code (IaC) to manage its AWS infrastructure, employing AWS CloudFormation templates for deployment. They have an established CI/CD pipeline for this purpose. Following a security audit, the company aims to enhance its AWS security posture by implementing a policy-as-code approach. This approach must prevent the deployment of infrastructure that violates security policies, such as unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Which solution should the company adopt to meet these security requirements?
A company utilizes infrastructure as code (IaC) to manage its AWS infrastructure, employing AWS CloudFormation templates for deployment. They have an established CI/CD pipeline for this purpose. Following a security audit, the company aims to enhance its AWS security posture by implementing a policy-as-code approach. This approach must prevent the deployment of infrastructure that violates security policies, such as unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Which solution should the company adopt to meet these security requirements?
Explanation:
The correct answer is C. AWS CloudFormation Guard (cfn-guard) allows you to define policy-as-code rule sets to validate CloudFormation templates before deployment. This approach integrates seamlessly into a CI/CD pipeline, enabling you to enforce security policies, such as ensuring that Amazon EBS volumes are encrypted, before any infrastructure is deployed. Options A, B, and D do not directly provide pre-deployment template validation as required in the question. AWS Trusted Advisor (A) is more focused on providing operational insights and recommendations rather than enforcing pre-deployment policies. AWS Config (B) provides compliance checks after deployment, and Service Control Policies (D) are used for managing permissions across AWS accounts but are not designed for template validation within a CI/CD pipeline.