Deploying CloudFormation Stack for AWS Config Rules
Question
You are a DevOps engineer in a company.
An AWS Organization is configured to manage a large number of AWS accounts and the Organization uses several Organizational Units (OUs) to help group AWS accounts together.
You need to deploy a CloudFormation stack to enable customized AWS Config rules for all AWS accounts under one Organizational Unit.
Which approach would you choose to provision the stack?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
You can use a CloudFormation StackSet to deploy a stack in different AWS accounts under one Organizational Unit (OU)
Check how to work with CloudFormation StackSets in https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html.
Option A is incorrect: This approach is not as simple as CloudFormation StackSet as you have to maintain the CodeDeploy task.
Option B is incorrect: In the deploy stage of AWS CodePipeline, you cannot choose other AWS accounts for the deployment.
Option C is incorrect: It is not easy to create CloudFormation stacks for other AWS accounts even if there are parameters of AWS accounts and regions.
Option D is CORRECT: With CloudFormation StackSet, you can specify the Organizational Unit as the target and the CloudFormation stack will be deployed in all AWS members:
Sure, I'll be happy to provide a detailed explanation of the answer options.
Option A: This option suggests creating an IAM role with the required permissions and using that role to configure a CodeDeploy task that deploys CloudFormation stacks in all AWS accounts of the Organization Unit. This approach is not recommended because it requires additional overhead to manage the IAM role and CodeDeploy tasks across all AWS accounts. Also, this approach assumes that CodeDeploy is already configured in all AWS accounts, which may not be the case.
Option B: This option suggests configuring an AWS CodePipeline task that has a source stage to select the template and a deploy stage to launch the CloudFormation stack in all AWS accounts of the OU. This approach is also not recommended because it requires additional overhead to manage the CodePipeline task across all AWS accounts. Also, CodePipeline may not be available or configured in all AWS accounts.
Option C: This option suggests ensuring the CloudFormation template has parameters of AWS accounts and regions and using the root AWS account to deploy the CloudFormation stack in all AWS accounts. This approach is technically possible, but it requires the use of the AWS Organizations service to manage the AWS accounts and the CloudFormation stack. The CloudFormation stack must have the necessary permissions to access the AWS accounts, which can be challenging to manage.
Option D: This option suggests configuring a CloudFormation StackSet using the CloudFormation template, choosing the Organization Unit in the StackSet, and specifying the regions to deploy the stack. This approach is the recommended approach for deploying a CloudFormation stack to all AWS accounts in an Organizational Unit. A StackSet is a collection of CloudFormation stacks that can be deployed across multiple accounts and regions in an AWS Organization. StackSets can be used to deploy resources that are common across multiple accounts, such as AWS Config rules. By using a StackSet, the CloudFormation stack can be deployed consistently across all AWS accounts in the Organizational Unit, and any updates to the stack can also be propagated easily.