Which combination of steps should the DevOps team take to meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company uses an organization in AWS Organizations to manage its AWS accounts.The company recently acquired another company that has standalone AWS accounts.The acquiring company’s DevOps team needs to consolidate the administration of the AWS accounts for both companies and retain full administrative control of the accounts.The DevOps team also needs to collect and group findings across all the accounts to implement and maintain a security posture.

Which combination of steps should the DevOps team take to meet these requirements?

(Choose two.)

Invite the acquired company’s AWS accounts to join the organization. Create an SCP that has full administrative privileges. Attach the SCP to the management account.

Invite the acquired company’s AWS accounts to join the organization. Create the OrganizationAccountAccessRole IAM role in the invited accounts. Grant permission to the management account to assume the role.

Use AWS Security Hub to collect and group findings across all accounts. Use Security Hub to automatically detect new accounts as the accounts are added to the organization.

Use AWS Firewall Manager to collect and group findings across all accounts. Enable all features for the organization. Designate an account in the organization as the delegated administrator account for Firewall Manager.

Use Amazon Inspector to collect and group findings across all accounts. Designate an account in the organization as the delegated administrator account for Amazon Inspector.

Explanations:

The option mentions creating an SCP with full administrative privileges, which contradicts the idea of enforcing a security posture. SCPs are used to limit permissions, not to grant full access. The correct approach is to manage permissions more specifically.

Inviting the acquired company’s AWS accounts to join the organization and creating the OrganizationAccountAccessRole IAM role enables the management account to assume administrative control over the invited accounts. This allows the DevOps team to retain full control.

AWS Security Hub can aggregate and group findings across multiple accounts. It can automatically detect new accounts as they are added to the organization, ensuring that the security posture is maintained consistently.

AWS Firewall Manager is not designed to aggregate and group security findings; it is used for managing security policies, such as firewall rules. It doesn’t align with the requirement to consolidate findings for security posture management.

Amazon Inspector focuses on security assessments rather than collecting and grouping findings across multiple accounts. While it can perform security analysis, it does not meet the need to aggregate findings across all accounts for security posture.

2025-10-15

1 Comment

  1. Dylan
    Author

    It seems to me that the answer is:
    Invite the acquired company’s AWS accounts to join the organization. Create the OrganizationAccountAccessRole IAM role in the invited accounts. Grant permission to the management account to assume the role.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + 14 =