SCS-C03 · Question #94
SCS-C03 Question #94: Real Exam Question with Answer & Explanation
The correct answer is D: Use the organization's management account to designate a Security Hub delegated administrator. Explanation Designating a Security Hub delegated administrator account (option D) is the most efficient solution because it enables automatic enrollment of all new accounts created through AWS Organizations - including those provisioned via Control Tower Account Factory - without
Question
A company has a multi-account strategy that uses an organization in AWS Organizations with all features enabled. The company has enabled trusted access for AWS Account Management. New accounts are provisioned through AWS Control Tower Account Factory. The company must ensure that all new accounts in the organization become AWS Security Hub member accounts. Which solution will meet these requirements with the LEAST development effort?
Options
- AEnable Security Hub in the organization's management account. Create an AWS Step Functions
- BEnable Security Hub in the organization's management account. Wait for all new accounts to
- CEnable Security Hub in the organization's management account. Create an AWS Lambda
- DUse the organization's management account to designate a Security Hub delegated administrator
Explanation
Explanation
Designating a Security Hub delegated administrator account (option D) is the most efficient solution because it enables automatic enrollment of all new accounts created through AWS Organizations - including those provisioned via Control Tower Account Factory - without writing any custom code or automation. When a delegated administrator is configured, Security Hub automatically adds new member accounts through its auto-enable feature, which is a native AWS Organizations integration requiring minimal configuration effort.
Why the distractors are wrong:
- Option A (Step Functions) requires building and maintaining a custom state machine workflow, which introduces unnecessary development effort when native AWS functionality already handles this automatically.
- Option B is incomplete and passive - simply enabling Security Hub and "waiting" does not guarantee automatic enrollment of new member accounts without explicit configuration of auto-enrollment.
- Option C (Lambda function) also requires custom code development to detect new accounts and enroll them in Security Hub, which is more effort than using the built-in delegated administrator feature.
Memory Tip: Think "Delegate, Don't Develop" - whenever AWS Organizations supports a delegated administrator pattern for a security service (like Security Hub, GuardDuty, or Macie), that option almost always wins for "least development effort" questions because AWS handles the automation natively, eliminating the need for custom Lambda, Step Functions, or other bespoke solutions.
Topics
Community Discussion
No community discussion yet for this question.