Question 9

Domain 2: Configuration Management and Infrastructure as Code

A company has an organization in AWS Organizations with many Oils that contain many AWS accounts. The organization has a dedicated delegated administrator AWS account. The company needs the accounts in one OU to have server-side encryption enforced for all Amazon Elastic Block Store (Amazon EBS) volumes and Amazon Simple Queue Service (Amazon SQS) queues that are created or updated on an AWS CloudFormation stack. Which solution will enforce this policy before a CloudFormation stack operation in the accounts of this OU?

A. Activate trusted access to CloudFormation StackSets. Create a CloudFormation Hook that enforces server-side encryption on EBS volumes and SQS queues. Deploy the Hook across the accounts in the OU by using StackSets. B. Set up AWS Config in all the accounts in the OU. Use AWS Systems Manager to deploy AWS Config rules that enforce server-side encryption for EBS volumes and SQS queues across the accounts in the OU. C. Write an SCP to deny the creation of EBS volumes and SQS queues unless the EBS volumes and SQS queues have server-side encryption. Attach the SCP to the OU. D. Create an AWS Lambda function in the delegated administrator account that checks whether server-side encryption is enforced for EBS volumes and SQS queues. Create an IAM role to provide the Lambda function access to the accounts in the OU.

Correct answer: A

Explanation

CloudFormation Hooks run "before a CloudFormation stack operation" and can inspect or reject resource creation and updates, so they can enforce encryption requirements for EBS volumes and SQS queues. Using StackSets with trusted access lets the delegated administrator deploy the Hook across all accounts in the OU, ensuring the policy is applied consistently in those accounts.

Why each option is right or wrong

CloudFormation Hooks are the only mechanism here that executes during the pre-create/pre-update phase of a stack operation and can fail the operation if a resource does not meet a required condition; they are invoked before the resource is provisioned or updated, which fits the requirement to enforce encryption on EBS and SQS at stack time. AWS Organizations trusted access for CloudFormation StackSets allows the delegated administrator to deploy that Hook centrally to every account in the specified OU, so the control is applied consistently across all target accounts rather than only in one account.

B. Set up AWS Config in all the accounts in the OU. Use AWS Systems Manager to deploy AWS Config rules that enforce server-side encryption for EBS volumes and SQS queues across the accounts in the OU.

AWS Config mainly evaluates compliance after resources exist; it is not a pre-stack preventive control.

C. Write an SCP to deny the creation of EBS volumes and SQS queues unless the EBS volumes and SQS queues have server-side encryption. Attach the SCP to the OU.

SCPs set broad permission guardrails, but they do not inspect CloudFormation resource properties this way.

D. Create an AWS Lambda function in the delegated administrator account that checks whether server-side encryption is enforced for EBS volumes and SQS queues. Create an IAM role to provide the Lambda function access to the accounts in the OU.

A Lambda check is custom and typically reactive unless tightly integrated; it does not natively gate stack operations.

Previous Next