SCS-C03 · Question #72
SCS-C03 Question #72: Real Exam Question with Answer & Explanation
The correct answer is B: Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation. AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security - Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilit
Question
A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler. The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization's management account when the management account is not required. Which solution will meet these requirements?
Options
- ACreate a CloudFormation stack set in the organization's management account and manually add
- BConfigure a delegated administrator account for AWS CloudFormation. Create a CloudFormation
- CUse Systems Manager delegated administration and Automation to deploy the Lambda function
- DCreate a Systems Manager Automation runbook in the management account and share it to
Explanation
AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security - Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance
Community Discussion
No community discussion yet for this question.