AWS Security Governance at Scale: What Are the Two Main Types of Guardrails in AWS Control Tower?

How Do Preventive and Detective Guardrails Enforce AWS Governance?

Learn the two fundamental types of guardrails in AWS: preventive and detective. Understand how preventive guardrails stop non-compliant actions before they happen and how detective guardrails identify policy violations after they occur for enterprise-wide governance.

Question

What are the types of guardrails in AWS? (Select TWO.)

A. Suspended
B. Detective
C. Active
D. Proactive
E. Preventive

Answer

B. Detective
E. Preventive

Explanation

The correct answers are B. Detective and E. Preventive. These are the two primary categories of guardrails used within the AWS governance framework, most notably in AWS Control Tower, to enforce policies at scale.

B. Detective: These guardrails are designed to detect non-compliant resources or policy violations that already exist within your environment and to generate alerts. They monitor the state of your resources and provide visibility into your compliance posture. The most common implementation of detective guardrails is through AWS Config Rules. For example, a detective guardrail can identify Amazon S3 buckets that are publicly accessible or EC2 instances that are not managed by AWS Systems Manager and flag them for remediation.

E. Preventive: These guardrails are designed to stop actions that would violate a policy from ever happening. They enforce your policies by disallowing non-compliant actions. The most common implementation of preventive guardrails is through AWS Organizations Service Control Policies (SCPs). For example, a preventive guardrail can deny users the ability to launch resources in an unapproved AWS region or prevent them from disabling essential security services like AWS CloudTrail. The action is blocked before it can be executed.

Incorrect Options

A. Suspended: This describes the status or state of a guardrail (i.e., it has been temporarily disabled), not a functional type of guardrail.

C. Active: This is not a formal classification used by AWS. The function it implies is correctly described by the term “preventive.”

D. Proactive: While AWS has begun using this term to describe guardrails that check for compliance during the provisioning stage (e.g., using AWS CloudFormation Hooks), the two core, foundational types that form the basis of the AWS governance model are preventive and detective.

AWS Security Governance at Scale certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the AWS Security Governance at Scale exam and earn AWS Security Governance at Scale certificate.