Provisioning a CloudFormation Stack for Customized AWS Config Rules in an Organizational Unit
Question
You are a DevOps engineer in a company.
An AWS Organization is configured to manage a large number of AWS accounts and the Organization uses several Organizational Units (OUs) to help group AWS accounts together.
You need to deploy a CloudFormation stack to enable customized AWS Config rules for all AWS accounts under one Organizational Unit.
Which approach would you choose to provision the stack?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
You can use a CloudFormation StackSet to deploy a stack in different AWS accounts under one Organizational Unit (OU)
Check how to work with CloudFormation StackSets in https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html.
Option A is incorrect: This approach is not as simple as CloudFormation StackSet as you have to maintain the CodeDeploy task.
Option B is incorrect: In the deploy stage of AWS CodePipeline, you cannot choose other AWS accounts for the deployment.
Option C is incorrect: It is not easy to create CloudFormation stacks for other AWS accounts even if there are parameters of AWS accounts and regions.
Option D is CORRECT: With CloudFormation StackSet, you can specify the Organizational Unit as the target and the CloudFormation stack will be deployed in all AWS members:
The correct answer is D: Configure a CloudFormation StackSet using the CloudFormation template. Choose the Organization Unit in the StackSet and specify the regions to deploy the stack.
Explanation:
AWS Organizations provides centralized management for multiple AWS accounts. It enables you to create groups of AWS accounts and apply policies to those groups. You can also use Organizational Units (OUs) to group accounts further. CloudFormation StackSets is a service that allows you to deploy a CloudFormation stack to multiple accounts and regions.
To deploy customized AWS Config rules to all AWS accounts under one OU, the best approach is to use CloudFormation StackSets. This approach provides a centralized and efficient way to deploy the CloudFormation stack to all accounts and regions.
Option A suggests using an IAM role to create AWS Config rules and CodeDeploy to deploy the CloudFormation stacks in all accounts. While this is a possible solution, it is more complex and less efficient than using StackSets.
Option B suggests using CodePipeline to launch the CloudFormation stack in all accounts. This approach is not ideal for this scenario because CodePipeline is used for continuous delivery, and this scenario involves a one-time deployment of a CloudFormation stack.
Option C suggests using a CloudFormation template with parameters of AWS accounts and regions and deploying the CloudFormation stack from the root AWS account. While this approach is possible, it requires additional configuration steps and is less efficient than using StackSets.
Option D is the best approach for this scenario. By configuring a CloudFormation StackSet using the CloudFormation template and choosing the OU and regions to deploy the stack, the DevOps engineer can quickly and efficiently deploy the customized AWS Config rules to all AWS accounts under one OU.
In conclusion, when deploying a CloudFormation stack to multiple AWS accounts and regions, CloudFormation StackSets is the most efficient and centralized approach.
