Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 8 Question 11 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 11
Topic #: 8
[All SCS-C02 Questions]

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct answer is C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

This answer is correct because AWS CloudFormation Guard is a tool that helps you implement policy-as-code for your CloudFormation templates. You can use Guard to write rules that define your security policies, such as requiring encryption for EBS volumes, and then validate your templates against those rules before deploying them. You can integrate Guard into your CI/CD pipeline as a step that runs the validation checks and prevents the deployment of any non-compliant templates12.

The other options are incorrect because:

A) Turning on AWS Trusted Advisor and configuring security notifications as webhooks in the preferences section of the CI/CD pipeline is not a solution, because AWS Trusted Advisor is not a policy-as-code tool, but a service that provides recommendations to help you follow AWS best practices. Trusted Advisor does not allow you to define your own security policies or validate your CloudFormation templates against them3.

B) Turning on AWS Config and using the prebuilt or customized rules is not a solution, because AWS Config is not a policy-as-code tool, but a service that monitors and records the configuration changes of your AWS resources. AWS Config does not allow you to validate your CloudFormation templates before deploying them, but only evaluates the compliance of your resources after they are created4.

D) Creating rule sets as SCPs and integrating them as a part of validation control in a phase of the CI/CD process is not a solution, because SCPs are not policy-as-code tools, but policies that you can use to manage permissions in your AWS Organizations. SCPs do not allow you to validate your CloudFormation templates, but only restrict the actions that users and roles can perform in your accounts5.


1: What is AWS CloudFormation Guard? 2: Introducing AWS CloudFormation Guard 2.0 3: AWS Trusted Advisor 4: What Is AWS Config? 5: Service control policies - AWS Organizations

Contribute your Thoughts:

Bulah
8 months ago
Hmm, I'm not sure about that. Option B relies on AWS Config to detect the issues, but that means we're still allowing the non-compliant resources to be deployed, even if we get notified about it. I think a proactive approach like CloudFormation Guard is better.
upvoted 0 times
...
Julian
8 months ago
What about option B with AWS Config? That seems like a good solution too. We can leverage the prebuilt rules or create our own, and then have the pipeline subscribe to the SNS topic to receive notifications. That way, we can still catch non-compliant resources, even if they slip through the initial validation.
upvoted 0 times
...
Luisa
8 months ago
I agree, option C sounds like the way to go. Creating custom rule sets in CloudFormation Guard allows us to define our security policies programmatically and integrate them directly into our CI/CD pipeline. That way, we can catch any issues early on before they make it to production.
upvoted 0 times
Amina
7 months ago
Using rule sets in CloudFormation Guard will help us maintain compliance with our security policies.
upvoted 0 times
...
Reena
8 months ago
Agreed. It's important to automate security checks to prevent any unauthorized configurations in AWS infrastructure.
upvoted 0 times
...
Haydee
8 months ago
I think integrating security checks into the CI/CD pipeline will definitely improve our security posture.
upvoted 0 times
...
Jovita
8 months ago
That's right. It's better to catch security issues early in the deployment process.
upvoted 0 times
...
Winifred
8 months ago
Yes, CloudFormation Guard can run validation checks on templates during the CI/CD process to prevent any policy violations.
upvoted 0 times
...
Kent
8 months ago
Option C sounds good. Custom rule sets in CloudFormation Guard can help us enforce security policies.
upvoted 0 times
...
...
Kimbery
8 months ago
Hmm, this seems like a tricky question. We need a solution that can enforce our security policies and prevent the deployment of any non-compliant infrastructure. I'm leaning towards option C - using AWS CloudFormation Guard to validate our templates before deployment.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77