Question 12 - AWS SCS-C03 Real Exam Questions [Jan 2026 Update]

Q: 12

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler. The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization's management account when the management account is not required. Which solution will meet these requirements?

Options

Correct Answer:

Explanation

This solution correctly addresses all requirements. AWS CloudFormation StackSets with service-managed permissions are designed to deploy resources across an AWS Organization. Enabling automatic deployment ensures that the stack is provisioned in all existing and future member accounts. By configuring a delegated administrator for AWS CloudFormation, the company can manage these StackSets from a designated member account instead of the management account. This adheres to the security best practice of minimizing the use of the management account, fulfilling the principle of least privilege for routine operational tasks.

Why Incorrect

A. This approach is incorrect because it requires manual intervention to add new accounts, failing the automation requirement. It also unnecessarily uses the management account for a task that can be delegated.

C. While Systems Manager can deploy resources and supports delegated administration, AWS CloudFormation StackSets are the purpose-built, more direct, and idiomatic service for provisioning infrastructure from templates across an organization.

D. This solution fails because it uses the management account, violating the principle of least privilege. Additionally, sharing a runbook does not automatically deploy resources to new accounts without a separate triggering mechanism.

References

1. AWS CloudFormation User Guide: The section "Register a delegated administrator" states, "You can register a delegated administrator account to create and manage stack sets with service-managed permissions for your organization. By registering a delegated administrator, you can create and manage stack sets from the delegated administrator account." This directly supports using a delegated administrator.

Source: AWS CloudFormation User Guide, "Working with AWS CloudFormation StackSets," section "Register a delegated administrator."

2. AWS CloudFormation User Guide: The section on creating stack sets with service-managed permissions explains the auto-deployment feature. "When you enable auto-deployment, stack instances are automatically deployed to an account when it is added to a target organization or OU." This confirms the capability to deploy to future accounts automatically.

Source: AWS CloudFormation User Guide, "Create a stack set with service-managed permissions," section "Auto-deployment."

3. AWS Organizations User Guide: The guide on best practices for the management account explicitly recommends delegating tasks. "To help you follow this best practice, AWS has created the delegated administrator feature... you can delegate administrative tasks for a specific AWS service to a designated member account."

Source: AWS Organizations User Guide, "Best practices for the management account."

4. AWS Organizations User Guide: The documentation lists services that can be integrated with Organizations, including AWS CloudFormation, which can be registered as a delegated administrator.

Source: AWS Organizations User Guide, "AWS services that you can use with AWS Organizations," section "Services that support delegated administrator."

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE