DOP-C02 · Question #185
DOP-C02 Question #185: Real Exam Question with Answer & Explanation
The correct answer is B: Invite the acquired company's AWS accounts to join the organization. Create the. Explanation Inviting the acquired company's accounts into AWS Organizations (Option B) is the correct consolidation approach, and the key distinction from Option A is that you should enable all features in the organization (not just create an SCP with full admin permissions via S
Question
A company uses an organization in AWS Organizations to manage its AWS accounts. The company recently acquired another company that has standalone AWS accounts. The acquiring company's DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts. The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture. Which combination of steps should the DevOps team take to meet these requirements? (Choose two.)
Options
- AInvite the acquired company's AWS accounts to join the organization. Create an SCP that has full
- BInvite the acquired company's AWS accounts to join the organization. Create the
- CUse AWS Security Hub to collect and group findings across all accounts. Use Security Hub to
- DUse AWS Firewall Manager to collect and group findings across all accounts. Enable all features
- EUse Amazon Inspector to collect and group findings across all accounts. Designate an account in
Explanation
Explanation
Inviting the acquired company's accounts into AWS Organizations (Option B) is the correct consolidation approach, and the key distinction from Option A is that you should enable all features in the organization (not just create an SCP with full admin permissions via SCPs alone), which allows the management account to retain full administrative control over member accounts. AWS Security Hub (Option C) is the purpose-built service for aggregating, organizing, and prioritizing security findings across multiple AWS accounts and regions, making it the right tool for maintaining a security posture at scale.
Why the distractors are wrong:
- Option A is incorrect because creating an SCP that grants full administrative permissions contradicts how SCPs work - SCPs are used to restrict permissions, not grant them, and full admin control comes from enabling all features in Organizations.
- Option D is incorrect because AWS Firewall Manager is designed to centrally manage firewall rules and WAF policies, not to collect and group security findings across accounts.
- Option E is incorrect because Amazon Inspector focuses specifically on vulnerability scanning of EC2 instances and container images, not broad cross-account security findings aggregation.
Memory Tip
Think "Organizations + Security Hub" as the classic duo for multi-account governance: Organizations manages and controls the accounts, while Security Hub watches and reports on security - they're complementary, not interchangeable.
Topics
Community Discussion
No community discussion yet for this question.