New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 5 Question 6 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 6
Topic #: 5
[All SCS-C02 Questions]

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates.

After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencrypted Amazon Elastic Block Store (Amazon EBS) volume.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: C

The correct answer is C. Create rule sets in AWS CloudFormation Guard. Run validation checks for CloudFormation templates as a phase of the CI/CD process.

This answer is correct because AWS CloudFormation Guard is a tool that helps you implement policy-as-code for your CloudFormation templates. You can use Guard to write rules that define your security policies, such as requiring encryption for EBS volumes, and then validate your templates against those rules before deploying them. You can integrate Guard into your CI/CD pipeline as a step that runs the validation checks and prevents the deployment of any non-compliant templates12.

The other options are incorrect because:

A) Turning on AWS Trusted Advisor and configuring security notifications as webhooks in the preferences section of the CI/CD pipeline is not a solution, because AWS Trusted Advisor is not a policy-as-code tool, but a service that provides recommendations to help you follow AWS best practices. Trusted Advisor does not allow you to define your own security policies or validate your CloudFormation templates against them3.

B) Turning on AWS Config and using the prebuilt or customized rules is not a solution, because AWS Config is not a policy-as-code tool, but a service that monitors and records the configuration changes of your AWS resources. AWS Config does not allow you to validate your CloudFormation templates before deploying them, but only evaluates the compliance of your resources after they are created4.

D) Creating rule sets as SCPs and integrating them as a part of validation control in a phase of the CI/CD process is not a solution, because SCPs are not policy-as-code tools, but policies that you can use to manage permissions in your AWS Organizations. SCPs do not allow you to validate your CloudFormation templates, but only restrict the actions that users and roles can perform in your accounts5.


1: What is AWS CloudFormation Guard? 2: Introducing AWS CloudFormation Guard 2.0 3: AWS Trusted Advisor 4: What Is AWS Config? 5: Service control policies - AWS Organizations

by Eden at Oct 08, 2023, 08:40 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Krystal
3 months ago
SCPs in option D could work, but they seem more complex.
upvoted 0 times
...
Kaitlyn
3 months ago
Wait, can AWS Config really prevent deployments? Sounds too good to be true.
upvoted 0 times
...
Erin
4 months ago
Not sure if that's enough, though. What about runtime checks?
upvoted 0 times
...
Salina
4 months ago
Totally agree, CloudFormation Guard is super effective!
upvoted 0 times
...
Johna
4 months ago
I think option C is the best choice for policy-as-code.
upvoted 0 times
...
Kris
4 months ago
I vaguely remember something about SCPs being used for governance, but I’m not confident about how they fit into the CI/CD pipeline.
upvoted 0 times
...
Edmond
4 months ago
I feel like turning on AWS Trusted Advisor is more about best practices rather than enforcing security policies.
upvoted 0 times
...
Margo
5 months ago
I think using AWS CloudFormation Guard sounds familiar. We practiced validating templates, but I can't recall if it was specifically for security policies.
upvoted 0 times
...
Oliva
5 months ago
I remember we discussed how AWS Config can help with compliance, but I'm not sure if it directly prevents deployments.
upvoted 0 times
...
Chaya
5 months ago
This is a tricky one. There are a few different approaches, and I'm not sure which one is the most appropriate. I'll need to weigh the trade-offs of each option, like the level of customization, integration with the existing CI/CD pipeline, and the overall complexity. I'll need to think this through carefully.
upvoted 0 times
...
Antonio
5 months ago
Okay, I think I've got a good handle on this. Based on the details provided, Option C using CloudFormation Guard seems like the most direct way to validate the CloudFormation templates against security policies as part of the CI/CD process. I'll make sure to review the CloudFormation Guard documentation to implement that effectively.
upvoted 0 times
...
Thea
5 months ago
This seems like a straightforward question about using policy-as-code to enforce security in an IaC environment. I'll need to carefully review the options and think through the pros and cons of each approach.
upvoted 0 times
...
Lanie
5 months ago
Hmm, I'm a bit unsure about this one. There are a few different AWS services mentioned, and I want to make sure I understand how they work together to meet the requirements. I'll need to do some research on AWS Config, CloudFormation Guard, and SCPs to decide the best solution.
upvoted 0 times
...
Roselle
5 months ago
Ah, I remember learning about this in class. The agent's "percept" is the technical term for the perceptual input it receives from the environment. I'm feeling good about selecting that answer.
upvoted 0 times
...
Milly
5 months ago
I think I remember that fancy fonts can be difficult to read, especially in smaller sizes. That might be one reason to suggest a simpler typeface.
upvoted 0 times
...
Kimberely
5 months ago
I feel like recreating the guestshell might be necessary when there's an issue like this, especially if it's not responding properly. I just can't recall the exact steps.
upvoted 0 times
...
Natalie
5 months ago
I think Citrix recommends Always On for high availability, but I'm not completely sure.
upvoted 0 times
...

Save Cancel