Which solution will meet these requirements?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A financial services company that runs on AWS has designed its security controls to meet industry standards.The industry standards include the National Institute of Standards and Technology (NIST) and the Payment Card Industry Data Security Standard (PCI DSS).The company’s third-party auditors need proof that the designed controls have been implemented and are functioning correctly.The company has hundreds of AWS accounts in a single organization in AWS Organizations.The company needs to monitor the current state of the controls across accounts.

Which solution will meet these requirements?

Designate one account as the Amazon Inspector delegated administrator account from the Organizations management account. Integrate Inspector with Organizations to discover and scan resources across all AWS accounts. Enable Inspector industry standards for NIST and PCI DSS.

Designate one account as the Amazon GuardDuty delegated administrator account from the Organizations management account. In the designated GuardDuty administrator account, enable GuardDuty to protect all member accounts. Enable GuardDuty industry standards for NIST and PCI DSS.

Configure an AWS CloudTrail organization trail in the Organizations management account. Designate one account as the compliance account. Enable CloudTrail security standards for NIST and PCI DSS in the compliance account.

Designate one account as the AWS Security Hub delegated administrator account from the Organizations management account. In the designated Security Hub administrator account, enable Security Hub for all member accounts. Enable Security Hub standards for NIST and PCI DSS.

Explanations:

Amazon Inspector is primarily used for vulnerability assessments and compliance checking of individual resources rather than monitoring the overall state of controls across multiple accounts. It does not provide centralized visibility or compliance reporting across an AWS Organization.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. While it can protect multiple accounts, it does not specifically address compliance monitoring for standards like NIST and PCI DSS across all AWS accounts in a comprehensive manner.

AWS CloudTrail provides logging of API calls and is essential for auditing, but it does not actively monitor the security controls’ state. While useful for compliance, it lacks the integrated compliance checks and standards functionality needed to demonstrate that controls are implemented and functioning correctly across multiple accounts.

AWS Security Hub is designed for centralized security management and compliance monitoring across multiple AWS accounts. By designating one account as the Security Hub delegated administrator, the company can enable Security Hub to aggregate findings, assess compliance against standards like NIST and PCI DSS, and provide comprehensive visibility into the security posture across all member accounts.

2025-10-22

1 Comment

  1. Samantha
    Author

    I have a feeling that the answer is:
    Designate one account as the AWS Security Hub delegated administrator account from the Organizations management account. In the designated Security Hub administrator account, enable Security Hub for all member accounts. Enable Security Hub standards for NIST and PCI DSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + sixteen =