Question 11

Domain 2: Configuration Management and Infrastructure as Code

A company uses AWS Control Tower and AWS CloudFormation to manage its AWS accounts and to create AWS resources. The company requires all Amazon S3 buckets to be encrypted with AWS Key Management Service (AWS KMS) when the S3 buckets are created in a CloudFormation stack. Which solution will meet this requirement?

A. Use AWS Organizations. Attach an SCP that denies the s3:PutObject permission if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with AWS KMS keys (SSE-KMS). B. Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks. C. Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks. D. Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,

Correct answer: B

Explanation

AWS Control Tower proactive controls can “prevent resource creation” that violates policy, and CloudFormation hooks let you inspect and block stack resources before they are created. Enabling these controls on all OUs ensures every S3 bucket created in a CloudFormation stack must use AWS KMS encryption, meeting the organization-wide requirement.

Why each option is right or wrong

SCP on PutObject affects object uploads, not whether CloudFormation creates an encrypted bucket.

B. Use AWS Control Tower with a multi-account environment. Configure and enable proactive AWS Control Tower controls on all OUs with CloudFormation hooks.

AWS Control Tower proactive controls are enforced at provisioning time and can prevent noncompliant resources from being created, while CloudFormation hooks run during stack operations before resource creation. By enabling the proactive control across all organizational units, every CloudFormation stack that attempts to create an Amazon S3 bucket is evaluated before launch and can be blocked unless the bucket is configured for AWS KMS encryption, satisfying the organization-wide requirement at creation time rather than after deployment.

C. Use AWS Control Tower with a multi-account environment. Configure and enable detective AWS Control Tower controls on all OUs with CloudFormation hooks.

Detective controls identify violations after deployment; they do not block noncompliant stack creation.

D. Use AWS Organizations. Create an AWS Config organizational rule to check whether a KMS encryption key is enabled for all S3 buckets. Deploy the rule. Create and apply an SCP to prevent users from stopping and deleting AWS Config across all AWS accounts,

AWS Config organizational rules evaluate compliance after resources exist, not at CloudFormation create time.

Previous Next