A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.
Which solution will meet this requirement?
To meet the requirement of detecting Amazon RDS DB instances that are not encrypted at rest in the company’s production OU, enabling the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower is the suitable solution. These strongly recommended guardrails offer checks for best practices and additional security measures that are not automatically enforced but can be used to enforce policies such as encryption at rest for RDS instances. This will ensure that all RDS instances in the production OU are checked for encryption compliance, thus fulfilling the company's requirement.
The correct answer is B. AWS Control Tower provides a set of "strongly recommended guardrails" that can be enabled to implement governance and policy enforcement. One of these guardrails is "Encrypt Amazon RDS instances" which will detect RDS DB instances that are not encrypted at rest. By enabling this guardrail and applying it to the production OU, the company will be able to enforce encryption for RDS instances in the production environment. Option A is incorrect because mandatory guardrails are pre-defined by AWS and cannot be customized. Option C is incorrect because AWS Config does not provide mandatory guardrails for RDS instances. Option D is incorrect because AWS Control Tower does not provide a feature called custom SCP (Service Control Policy), it uses guardrails instead.
https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-storage-unencrypted
The only thing is that this option talks about guardrails, while the article talks about controls, not mandatory.
Mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. The solution requirement falls under a proactive(Recommended Control). https://docs.aws.amazon.com/controltower/latest/userguide/rds-rules.html#ct-rds-pr-16-description Optional controls are OU specific.
Tip - As this detective guardrail is available, answer is B. But if the guardrail is not available in that predefined list, the answer would be --C https://aws.amazon.com/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/
Option B suggests enabling an appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower and applying it to the production OU. While AWS Control Tower provides a set of pre-packaged guardrails that enforce best practices for security, operations, and compliance, there is no guarantee that there is a pre-packaged guardrail specifically for detecting Amazon RDS DB instances that are not encrypted at rest. In contrast, option C creates a custom rule in AWS Config that specifically checks for Amazon RDS DB instances that are not encrypted at rest. This provides more flexibility and control in ensuring that the company’s specific requirement is met.
It's incorrect ideally you only apply to the OU and not to an individual account, therefore this needs to be discounted.
A. No, because mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. Moreover, none of them address RDS encrypted at rest. B. Yes, because Strongly recommended controls are owned by AWS Control Tower. They are based on best practices for well-architected multi-account environments. These controls are not enabled by default, and they can be deactivated through the AWS Control Tower console or the control APIs. Moreover, three of them are RDS detective controls C. No, because AWS Config does not create mandatory guardrails; AWS Config has managed and custom rules D. No, because SCPs are created in AWS Orgs and are not designed to detect Amazon RDS DB instances that are not encrypted at rest.
question is asking for detection, not mandate
Enable the appropriate guardrail
C - using AWS Config for detective action
A = Mandatory controls are owned by AWS Control Tower, and they apply by default to every OU on your landing zone and they can't be deactivated B = correct https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-storage-unencrypted C = You cannot create new mandatory controls as they are owned by AWS Control Tower D = You can create custom SCP in AWS Control Tower as part of the Customizations for AWS Control Tower https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-set-up-custom-scps.html However this requires a lot of work
Note on D, the question is asking to detect and not to mandate, thus D would not meet requirement
A seems but previous exist rule then B is more apropiate in this case https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-storage-unencrypted
It's. B
check masetromain's comment
Option B is correct because AWS Control Tower’s strongly recommended guardrails include checks for best practices and additional security measures that are not enforced by default but are highly recommended. Among these, there is likely a guardrail that can detect unencrypted RDS DB instances, aligning with the company’s requirement. Applying this guardrail to the production OU will ensure that all RDS DB instances in that OU are checked for encryption at rest.
The keyword in the question is detect which indicates Config. "The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU."