Domain 6 of 6 · Chapter 2 of 3

Secure Deployment

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • Why IaC is a security control, and how you gate it
  • StackSets: one template, many accounts
  • Central policy, secrets, and tags
  • Sharing resources: RAM vs Service Catalog
  • Exam-pattern recognition

Central deployment and sharing services on SCS-C03

ConcernCloudFormation StackSetsAWS Firewall ManagerAWS RAMAWS Service Catalog
What it doesDeploy one template to many accounts/RegionsApply WAF/network policies org-wideShare an existing resource across accountsPublish approved products for self-service
Needs AWS OrganizationsOnly for service-managed modelYes, all featuresNo, but enables invitation-free org sharingNo, optional org sharing of portfolios
Central admin roleAdministrator account (+ execution role)Delegated administrator accountResource-owning accountPortfolio administrator
Auto-covers new accountsYes, with auto-deployment to target OUYes, new in-scope accounts/resourcesYes, when shared to an OUNo, grant access per principal
Primary security valueConsistent, drift-checkable config everywhereUniform, unbypassable runtime guardrailsNo duplication, no broad resource policiesLaunch constraint runs as a role, not the user

Decision tree

What is the goal?secure multi-account deployDeploy same stackto many accounts?Enforce a runtime controlorg-wide?distribute IaCenforce / shareStackSetsservice-managed +auto-deploy to new OU acctsFirewall ManagerWAF, SG, Network/DNS FWnetwork/WAFUse vs create?cross-account resourceresourceAWS RAMshare existinguse existingService Catalogproduct + launch rolecreateAlways: gate templates first (cfn-lint+ Guard in CI, Hook server-side);secrets via dynamic reference, never plaintext

Cheat sheet

  • Deploy from reviewable IaC so config is gateable before it exists
  • cfn-lint checks syntax; Guard checks policy intent
  • Guard is general-purpose policy-as-code over any JSON or YAML
  • Use a CloudFormation Hook for unbypassable server-side enforcement
  • Prevent (lint/Guard/Hook) is not the same as detect (Config)
  • StackSets deploys one template across many accounts and Regions
  • StackSets self-managed needs roles; service-managed uses Organizations
  • Service-managed StackSets auto-deploys to accounts that join an OU
  • Control StackSets blast radius with concurrency and failure tolerance
  • Firewall Manager centrally enforces WAF and network policy org-wide
  • Firewall Manager prerequisites: Organizations, admin, Config, RAM
  • Use a dynamic reference, never a plaintext secret, in a template
  • Secrets Manager for rotatable secrets, ssm-secure for static
  • Secure dynamic references don't work in UserData or custom resources
  • Tag policies standardize tag keys, values, and case org-wide
  • A tag policy can enforce by blocking noncompliant tagging operations
  • AWS RAM shares an existing resource instead of duplicating it
  • RAM sharing within the org skips invitations after you enable it
  • A Service Catalog launch constraint provisions as a role, not the user
  • RAM to use an existing resource, Service Catalog to create approved ones
  • Updating a Service Catalog product version propagates to all portfolios
  • The ECS task execution role, not the task role, pulls secrets at startup
  • Use the task role for the application's own API calls and per-task auditability
  • Force a new ECS deployment to pick up a rotated Parameter Store or Secrets Manager value
  • Block container IMDS access so tasks can't inherit the EC2 instance role
  • Access Analyzer custom policy checks gate IAM policies in CI/CD
  • Service-managed StackSets skip the management account and can retain stacks on removal
  • Order dependent StackSets with DependsOn in auto-deployment settings
  • Exclude specific accounts from an OU deployment with the Difference account filter
  • The required-tags Config rule needs a custom remediation document, not AWS-SetRequiredTags
  • EventBridge-invoked Lambda needs a resource-based policy granting events.amazonaws.com
  • Capture failed EventBridge/Lambda remediation events with a DLQ or on-failure destination
  • CodePipeline manual approvals use SNS plus PutApprovalResult and log to CloudTrail
  • A Service Catalog template constraint restricts the parameter values users can pick
  • TagOptions force users to pick approved tag values, aligning with Organizations tag policies
  • A CloudFormation stack policy protects resources, with Deny overriding Allow
  • Find out-of-band changes with drift detection and undo them with REVERT_DRIFT
  • During rotation, read Secrets Manager with the AWSCURRENT staging label

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is AWS CloudFormation?
  2. Validating a CloudFormation template (cfn-lint)
  3. What is AWS CloudFormation Guard?
  4. CloudFormation Hooks structure and server-side enforcement
  5. Managing stacks across accounts and Regions with CloudFormation StackSets
  6. Create CloudFormation StackSets with service-managed permissions
  7. AWS Firewall Manager
  8. AWS Firewall Manager prerequisites
  9. Using dynamic references to specify external values in CloudFormation templates
  10. AWS Organizations tag policies
  11. What is AWS Resource Access Manager (RAM)?
  12. Enable resource sharing within AWS Organizations (AWS RAM)
  13. What is AWS Service Catalog?