Which solution will meet this requirement?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company has an organization in AWS Organizations.The company is using AWS Control Tower to deploy a landing zone for the organization.The company wants to implement governance and policy enforcement.The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.

Which solution will meet this requirement?

Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.

Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.

Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.

Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.

Explanations:

Turning on mandatory guardrails in AWS Control Tower does not specifically address the detection of unencrypted Amazon RDS DB instances. It focuses on broader compliance.

Enabling a strongly recommended guardrail that checks for Amazon RDS encryption at rest is appropriate. These guardrails are designed for policy enforcement in Control Tower.

AWS Config can be used to create rules for compliance, but it does not constitute a mandatory guardrail. AWS Control Tower mandatory guardrails are predefined and not custom.

Creating a custom SCP (Service Control Policy) does not specifically enforce encryption checks for RDS instances. SCPs are more about access control than configuration compliance.

2025-10-15

1 Comment

  1. Zachary
    Author

    As far as I’m aware, the answer is:
    Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 1 =