Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 66

A DevOps engineer needs to apply a core set of security controls to an existing set of AWS accounts. The accounts are in an organization in AWS Organizations. Individual teams will administer individual accounts by using the AdministratorAccess AWS managed policy. For all accounts. AWS CloudTrail and AWS Config must be turned on in all available AWS Regions. Individual account administrators must not be able to edit or delete any of the baseline resources. However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Config rules.

Which solution will meet these requirements in the MOST operationally efficient way?

Enable AWS Control Tower. Enroll the existing accounts in AWS Control Tower. Grant the individual account administrators access to CloudTrail and AWS Config.

Designate an AWS Config management account. Create AWS Config recorders in all accounts by using AWS CloudFormation StackSets. Deploy AWS Config rules to the organization by using the AWS Config management account. Create a CloudTrail organization trail in the organization’s management account. Deny modification or deletion of the AWS Config recorders by using an SCP.

Create an AWS CloudFormation template that defines the standard account resources. Deploy the template to all accounts from the organization's management account by using Cloud Formation StackSets Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account.

Correct Answer: D

The most operationally efficient solution is to create an AWS CloudFormation template that defines the standard account resources and deploy it to all accounts using AWS CloudFormation StackSets from the organization's management account. Additionally, an SCP (Service Control Policy) should be created that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account. This approach ensures that the baseline resources cannot be modified or deleted by individual account administrators, but they retain the ability to edit or delete their own CloudTrail trails and AWS Config rules. This meets all the given requirements efficiently.

Discussion

haazybanjOption: C

C This solution meets the requirements in the most operationally efficient way. It uses AWS CloudFormation StackSets to deploy AWS Config recorders in all accounts and AWS Config rules to the organization, which can be centrally managed from an AWS Config management account. A CloudTrail organization trail can also be created in the organization’s management account to collect logs from all accounts. An SCP can be used to deny modification or deletion of the AWS Config recorders, ensuring that the baseline resources cannot be modified or deleted by individual account administrators. However, individual account administrators can still edit or delete their own CloudTrail trails and AWS Config rules.

a1234321606

Why C? If you deny modification or deletion of the AWS Config recorders by using an SCP, how do individual account administrators edit or delete their own CloudTrail trails and AWS Config rules?

koenigParas2324

this solution lacks clarity on allowing individual account administrators control over their CloudTrail trails.

bnagaraja9099

C is good. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

bnagaraja9099

An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. Any account has only those permissions permitted by every parent above it. If a permission is blocked at any level above the account, either implicitly (by not being included in an Allow policy statement) or explicitly (by being included in a Deny policy statement), a user or role in the affected account can't use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with */* permissions to the user. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

vmahilevskyiOption: D

D for me. I think C is incorrect because "However, individual account administrators must be able to edit or delete their own CloudTrail trails and AWS Config rules." requirement is not satisfied because this answer has nothing about individual account administrators are able to edit their own CloudTrail trails. Organisational trail can be edited only from management or delegated administrator account.

MordansOption: C

Option C is the most operationally efficient and meets all the requirements: ensuring CloudTrail and AWS Config are enabled in all regions, preventing the deletion or editing of baseline resources by individual account administrators, while still allowing them the flexibility to manage their own specific resources. This approach uses centralized control mechanisms (AWS Config management account and organization trail for CloudTrail) and leverages SCPs for enforcement, aligning with best practices for security and governance in AWS Organizations.

cb6a796Option: C

C for sure

dznOption: B

When Control Tower is enabled, AWS-GR_CLOUDTRAIL_ENABLED and AWS-GR_CONFIG_ENABLED will enable CloudTrail and Config in all available regions. The guardrails are automatically set to disallow changes to baseline resources. A, C, D - No mention about baseline resource.

vortegonOption: C

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

jilly

how many questions are there in DOP-C02. It says 217, but i dont see that many

Ramdi1

i only see 209 questions i think even though it says 217 not sure if its something that they have to wait 2 weeks to release the rest since they update it maybe

trungtdOption: D

must be D

seetptOption: C

I agree with C

CloudHandsOnOption: D

Im going with D. SCPs is what helps us here

vn_thanhtung

but SCP not support direct principal.

thanhnv142Option: D

D is correct: This denies modifications to AWS config or cloudtrail unless the principal is the management account A: No explicitly mention of denying modifications to Config or cloudtrail B: No explicitly mention of denying modifications to Config or cloudtrail C: < Create a CloudTrail organization trail in the organization’s management account>: This means the deny rule only affects the management account

ChelseajcoleOption: D

C is using AWS Config Recorder, AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. It is not used for prevent you doing something, it is detecting something

thanhnv142

CloudTrail trails

hotbloodedOption: D

CloudTrail resources we want todeny this not config recorder

a54b16fOption: D

the common practice is using stacksets to enable AWS config, so D make sense

a54b16fOption: D

C mentioned using AWS Config recorders, which is for drift detection and has nothing to do with enable AWS config

AikAWSOption: D

Answer is D. C is wrong because: "Deny modification or deletion of the AWS Config recorders by using an SCP." AWS Config recroders track resource configurations. We need to ensure that the baseline resources CANNOT be modified or deleted by individual account administrators. We don't need to track this modifications)

Jaguaroooo

I think D is a better choice based on the following statement: Create an SCP that prevents updates or deletions to CloudTrail resources or AWS Config resources unless the principal is an administrator of the organization's management account.