Which combination of steps will meet these requirements in the MOST automated way?

A company recently created a new AWS Control Tower landing zone in a new organization in AWS Organizations. The landing zone must be able to demonstrate compliance with the Center tor Internet Security (CIS) Benchmarks tor AWS Foundations.

The company’s security team wants to use AWS Security Hub to view compliance across all accounts Only the security team can be allowed to view aggregated Security Hub Findings. In addition specific users must be able to view findings from their own accounts within the organization All accounts must be enrolled m Security Hub after the accounts are created.

Which combination of steps will meet these requirements in the MOST automated way? (Select THREE.)

A. Turn on trusted access for Security Hub in the organization’s management account. Create a new security account by using AWS Control Tower Configure the new security account as the delegated administrator account for Security Hub. In the new security account provide. Security Hub with the CIS Benchmarks for AWS Foundations standards.

B. Turn on trusted access for Security Hub in the organ ration’s management account. From the management account, provide Security Hub with the CIS Benchmarks for AWS Foundations standards.

C. Create an AWS IAM identity Center (AWS Single Sign-On) permission set that includes the required permissions Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.

D. Create an SCP that explicitly denies any user who is not on the security team from accessing Security Hub.

E. In Security Hub, turn on automatic enablement.

F. In the organization’s management account create an Amazon EventBridge rule that reacts to the CreateManagedAccount event Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hub. Configure the EventBridge rule to invoke the Lambda function.

View Answer

Answer: ACF

Explanation:

To achieve the MOST automated way to meet these requirements, you should choose the following steps:

A. Turn on trusted access for Security Hub in the organization’s management account. Create a new security account by using AWS Control Tower Configure the new security account as the delegated administrator account for Security Hub. In the new security account provide. Security Hub with the CIS Benchmarks for AWS Foundations standards.

Explanation: Turning on trusted access for Security Hub in the management account and delegating administration to a security account helps centralize the security findings and apply CIS benchmarks. Setting up a security account will allow the security team to view aggregated findings, fulfilling one of the requirements.

C. Create an AWS IAM identity Center (AWS Single Sign-On) permission set that includes the required permissions. Use the CreateAccountAssignment API operation to associate the security team users with the permission set and with the delegated security account.

Explanation: Creating an AWS SSO permission set with the necessary permissions and associating security team users with this permission set and the delegated security account will ensure that only the security team can access the centralized Security Hub findings.

F. In the organization’s management account create an Amazon EventBridge rule that reacts to the CreateManagedAccount event. Create an AWS Lambda function that uses the Security Hub CreateMembers API operation to add new accounts to Security Hub. Configure the EventBridge rule to invoke the Lambda function.

Explanation: Creating an EventBridge rule to trigger a Lambda function that automatically enrolls new accounts in Security Hub when they are created is an automated way to make sure all accounts are enrolled in Security Hub as per the requirement.

Option B is not selected because option A already configures CIS Benchmarks in the security account, which would be more appropriate than doing it in the management account.

Option D is not necessary since the permissions for viewing Security Hub can be controlled via IAM and AWS SSO, as described in option C, without needing to create an SCP that denies access.

Option E is not selected because automatic enablement in Security Hub isn’t specified to align with the specific permission requirements in the question. Moreover, the automation through the Lambda function and EventBridge in option F serves a similar purpose more aligned with the requirements.