Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company has an organization in AWS Organizations that has all features enabled.The company requires that all API calls and logins in any existing or new AWS account must be audited.The company needs a managed solution to prevent additional work and to minimize costs.The company also needs to know when any AWS account is not compliant with the AWS Foundational Security Best Practices (FSBP) standard.

Which solution will meet these requirements with the LEAST operational overhead?

Deploy an AWS Control Tower environment in the Organizations management account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.

Deploy an AWS Control Tower environment in a dedicated Organizations member account. Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.

Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ). Submit an RFC to self-service provision Amazon GuardDuty in the MALZ.

Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ). Submit an RFC to self-service provision AWS Security Hub in the MALZ.

Explanations:

AWS Control Tower automates account provisioning, applies AWS best practices, and integrates with AWS Security Hub to audit compliance with AWS FSBP.

Deploying AWS Control Tower in a member account adds complexity and increases operational overhead. The best practice is to use the management account.

AWS Managed Services (AMS) Accelerate is not the ideal solution for this requirement. It involves additional steps and costs, and does not focus on security auditing.

AMS Accelerate does not align with the goal of minimal operational overhead for security auditing and compliance. Security Hub would need manual provisioning.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × three =