🔥 3-day streak
AWS Certified DevOps Engineer - Professional157 / 204
Question 157 of 204

A company runs 40 AWS accounts under AWS Organizations. The security team maintains a Config managed rule that flags any RDS instance with public accessibility enabled. They want a fully automated response: whenever a noncompliant RDS instance is detected in ANY member account, an SSM Automation document should run in that same member account to modify the instance and disable public accessibility. The remediation logic must be centrally defined and maintained in a single dedicated Security account, and the team wants to minimize per-account custom deployments. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issueNext question