Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 206

A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack.

Which solution will meet this requirement?

Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS).

Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.

Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.

Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,

Correct Answer: B

To ensure that all Amazon S3 buckets created in a CloudFormation stack are encrypted with AWS Key Management Service (AWS KMS), AWS Control Tower should be utilized. Specifically, configuring and enabling proactive AWS Control Tower controls on all Organizational Units (OUs) with CloudFormation hooks is the solution. These proactive controls are preventive measures that block actions violating defined policies before they occur, thus ensuring that encryption gets applied automatically during the creation of S3 buckets within CloudFormation stacks. This approach not only aligns with the requirement but also leverages the built-in capabilities of AWS Control Tower to manage multi-account environments.

Discussion

thanhnv142Option: B

B is correct: <AWS Control Tower> means we need to use the proactive control A: SCP s3:PutObject permission only deny action related to put object to S3, not when creating it B: Detective controls used only for monitoring C: correct D: This option can achive the goal of the question. However, it is way more complicated than B.

Ramdi1Option: B

Proactive controls: Proactive controls are preventative measures that block actions violating defined policies before they occur. This ensures encryption gets applied automatically during S3 bucket creation within CloudFormation stacks. CloudFormation hooks: Hooks enable Control Tower to intercept and enforce policies on CloudFormation stack operations, making it ideal for enforcing encryption during resource creation. Multi-account environment: Since the requirement applies across all accounts, Control Tower's multi-account capabilities ensure consistent policy enforcement throughout the organization.

Ramdi1

The other options have limitations: A: While SCPs enforce policies, they react to actions instead of proactively preventing them. Additionally, denying s3:PutObject might be too restrictive as it can impact other legitimate operations. C: Detective controls monitor and report on existing resources, not preventing non-compliant creations. D: Config and SCPs combined address encryption checks and user limitations, but lack the direct integration with CloudFormation stacks crucial for enforcing during creation.

dkpOption: B

Answer B

fdoxxxOption: B

B is better than D...

ogerberOption: B

B, 100%

GomerOption: B

Here's the Control Tower proactive control: "[CT.S3.PR.10] Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key" https://docs.aws.amazon.com/controltower/latest/controlreference/s3-rules.html#ct-s3-pr-10-description

Venki_devOption: B

Clearly answer is B , here is article that explains the same. https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/ Answer D with config rule also fits the bill (if no control tower), but since we have Control tower managing the accounts already its better to make use of the features that Control tower leverages

fdoxxxOption: D

D provides a solution that leverages AWS Organizations and AWS Config to enforce the requirement for AWS KMS encryption on all S3 buckets created through CloudFormation: AWS Config Organizational Rule: Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. This rule helps ensure that the encryption requirement is enforced. Options A, B, and C do not directly address the requirement for AWS KMS encryption on S3 buckets created through CloudFormation: Option A mentions using an SCP but focuses on denying s3:PutObject without the required encryption header. However, this approach doesn't ensure that the encryption is enforced through AWS KMS. Options B and C mention using AWS Control Tower with proactive or detective controls, but they don't specifically address the encryption requirement for S3 buckets.

fdoxxx

I am changing to B - Option B leverages AWS Control Tower, which is designed for managing multiple AWS accounts in a centralized and automated manner. By configuring and enabling proactive AWS Control Tower controls on all Organizational Units (OUs) with CloudFormation hooks, the company can ensure that all S3 buckets created within CloudFormation stacks adhere to the encryption requirement.

Chelseajcole

Maybe D

Chelseajcole

Because of AWS Config

Venki_dev

its B https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/