While preparing for the AWS SAP-C02, many candidates confuse the three types of Control Tower guardrails (mandatory, strongly recommended, elective) and their enforcement mechanisms. In the real world, this is fundamentally a decision about Detection vs. Prevention and Governance Scalability. Let’s drill into a simulated scenario.
The Scenario #
GlobalFinance Corp operates a multi-account AWS environment managed through AWS Organizations, with AWS Control Tower providing the landing zone foundation. The company has separate Organizational Units (OUs) for Development, Staging, and Production workloads.
The Chief Compliance Officer has mandated a new security policy: all Amazon RDS database instances in the Production OU must have encryption-at-rest enabled. The security team needs to implement continuous monitoring to detect any non-compliant RDS instances that might be launched without encryption.
The solution must:
- Work natively within the existing Control Tower framework
- Provide automated, continuous compliance visibility
- Scale across all current and future accounts in the Production OU
- Minimize custom code and operational overhead
Key Requirements #
Implement a governance policy that detects Amazon RDS database instances without encryption-at-rest enabled, scoped specifically to the Production OU.
The Options #
- A) Enable a mandatory (enforced) guardrail in AWS Control Tower and apply it to the Production OU.
- B) Enable the appropriate guardrail from AWS Control Tower’s strongly recommended guardrails list and apply it to the Production OU.
- C) Create a new enforced guardrail using AWS Config and apply the rule to resources in the Production OU.
- D) Create a custom Service Control Policy (SCP) in AWS Control Tower and apply it to the Production OU.
Correct Answer #
Option B - Enable the appropriate guardrail from AWS Control Tower’s strongly recommended guardrails list and apply it to the Production OU.
Step-by-Step Winning Logic #
AWS Control Tower provides a pre-built strongly recommended detective guardrail specifically for this use case: “Detect whether encryption is enabled for Amazon RDS database instances” (Control: AWS-GR_RDS_STORAGE_ENCRYPTED).
Why this is the optimal solution:
-
Native Detection Capability: Strongly recommended guardrails in Control Tower are detective controls powered by AWS Config rules that continuously monitor resource compliance.
-
Pre-Built & Tested: AWS maintains these guardrails, eliminating custom development, testing cycles, and ongoing maintenance burden.
-
OU-Scoped Governance: Can be selectively enabled at the OU level, applying automatically to all current and future accounts within the Production OU.
-
Zero Custom Code: Leverages managed infrastructure—no Lambda functions, custom Config rules, or orchestration logic required.
-
Compliance Dashboard Integration: Violations automatically appear in the Control Tower dashboard with account-level visibility.
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not Option A (Mandatory/Enforced Guardrails)?
- Mandatory guardrails are preventive controls (SCPs) that block actions, not detective controls that detect existing resources.
- AWS Control Tower’s mandatory guardrails cover foundational governance (e.g., “Disallow policy changes to log archive”) but do not include RDS encryption detection in the mandatory set.
- Even if you could create a custom “enforced” guardrail, it would prevent creation of unencrypted databases but wouldn’t detect existing ones.
-
Why not Option C (Custom AWS Config Rule)?
- Technically feasible but architecturally redundant—you’d be rebuilding what Control Tower already provides.
- Breaks the Control Tower governance model by operating outside its framework.
- Higher operational complexity: manual rule deployment, lifecycle management, and aggregation across accounts.
- Cost-inefficient: Duplicates Config rule charges without adding value.
-
Why not Option D (Custom SCP)?
- SCPs are preventive controls (deny/allow API actions), not detective.
- An SCP could prevent launching unencrypted RDS instances (
Deny rds:CreateDBInstance if StorageEncrypted != true), but it cannot detect existing non-compliant resources. - Wrong tool for the requirement—the question explicitly asks for detection, not prevention.
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
A[AWS Control Tower
Management Account] -->|Strongly Recommended
Detective Guardrail| B[Production OU]
B --> C[Account 1
Production Workload]
B --> D[Account 2
Production Workload]
B --> E[Account N
Production Workload]
C --> F[AWS Config Rule
RDS Encryption Check]
D --> G[AWS Config Rule
RDS Encryption Check]
E --> H[AWS Config Rule
RDS Encryption Check]
F --> I[Non-Compliant RDS
Instance Detected]
I --> J[Control Tower
Compliance Dashboard]
J --> K[Security Team
Notification via SNS]
style B fill:#ff9999,stroke:#333,stroke-width:2px
style F fill:#99ccff,stroke:#333,stroke-width:2px
style G fill:#99ccff,stroke:#333,stroke-width:2px
style H fill:#99ccff,stroke:#333,stroke-width:2px
style J fill:#99ff99,stroke:#333,stroke-width:2px
Diagram Note: The strongly recommended detective guardrail automatically deploys AWS Config rules to all accounts in the Production OU, funneling compliance data to the centralized Control Tower dashboard.
🔐 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Mechanism | Detection Capability | Est. Monthly Cost | Operational Complexity | Pros | Cons |
|---|---|---|---|---|---|---|
| A: Mandatory Guardrail | SCP (Preventive) | ❌ None (Preventive only) | $0 | Low | Zero cost; automatic enforcement | Wrong control type; cannot detect existing resources |
| B: Strongly Recommended Guardrail ✅ | AWS Config Rule (Detective) | ✅ Continuous Detection | ~$6-12/account/month (2 regions × $2/rule + config items) |
Very Low | Pre-built; native Control Tower integration; auto-scales to new accounts | Incurs Config costs; detective only (allows initial creation) |
| C: Custom AWS Config Rule | AWS Config Rule (Detective) | ✅ Continuous Detection | ~$6-12/account/month + $5k-15k development | High | Full customization; works independently | Reinvents the wheel; breaks Control Tower model; ongoing maintenance |
| D: Custom SCP | SCP (Preventive) | ❌ None (Preventive only) | $0 | Medium | Zero ongoing cost; prevents future violations | Wrong tool; cannot detect existing non-compliant resources; requires JSON policy expertise |
FinOps Insight: While Option D (SCP) appears cost-free, it fails the functional requirement. Option B costs ~$240/year per account but delivers the exact capability needed with minimal engineering effort. For a 10-account Production OU, that’s $2,400/year—negligible compared to the $50k+ cost of building and maintaining a custom detection system (Option C).
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
For the SAP-C02 exam, remember this decision tree:
- Detect existing non-compliance → Detective guardrails (strongly recommended/elective) or AWS Config
- Prevent future non-compliance → Preventive guardrails (mandatory) or SCPs
- RDS encryption detection is a built-in strongly recommended guardrail—always prefer native over custom when available.
Real World #
GlobalFinance Corp is a global financial services company. They have a requirement to ensure that all RDS instances are encrypted. They have a production environment with multiple regions. In production environments, GlobalFinance Corp would likely implement a layered defense:
- Enable Option B (Detective Guardrail) for visibility and compliance reporting
- Add Option D (Custom SCP) to prevent future unencrypted RDS creation:
{
"Effect": "Deny",
"Action": "rds:CreateDBInstance",
"Resource": "*",
"Condition": {
"Bool": {"rds:StorageEncrypted": "false"}
}
}- Automate remediation with AWS Config Conformance Packs + Systems Manager Automation to encrypt existing non-compliant instances
- Integrate with SIEM (e.g., Security Hub, Splunk) for cross-platform correlation
Additional real-world considerations:
- Multi-region complexity: The guardrail must be enabled in all regions where Production accounts operate RDS instances
- Exception handling: You’d need a waiver process for legitimate use cases (e.g., read replicas of on-premises unencrypted databases during migration)
- Cost optimization: For organizations with 100+ accounts, AWS Config costs become material ($24k/year for 10 accounts); consider AWS Config Aggregators to consolidate data and reduce redundant rules