Question 10

Domain 2: Configuration Management and Infrastructure as Code

A company has chosen AWS to host a new application. The company needs to implement a multi-account strategy. A DevOps engineer creates a new AWS account and an organization in AWS Organizations. The DevOps engineer also creates the OU structure for the organization and sets up a landing zone by using AWS Control Tower. The DevOps engineer must implement a solution that automatically deploys resources for new accounts that users create through AWS Control Tower Account Factory. When a user creates a new account, the solution must apply AWS CloudFormation templates and SCPs that are customized for the OU or the account to automatically deploy all the resources that are attached to the account. All the OUs are enrolled in AWS Control Tower. Which solution will meet these requirements in the MOST automated way?

A. Use AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog. Grant granular permissions to provision these resources. Deploy SCPs by using the AWS CLI and JSON documents. B. Deploy CloudFormation stack sets by using the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy a CloudFormation stack set to the organization’s management account to deploy SCPs. C. Create an Amazon EventBridge rule to detect the CreateManagedAccount event. Configure AWS Service Catalog as the target to deploy resources to any new accounts. Deploy SCPs by using the AWS CLI and JSON documents. D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.

Correct answer: D

Explanation

Customizations for AWS Control Tower (CfCT) is built to “apply AWS CloudFormation templates and SCPs” to enrolled OUs and accounts, which matches the requirement to automatically deploy resources for new Account Factory accounts. Using a CodeCommit repository as the source lets you package the CloudFormation templates and SCP JSON documents so the solution can deploy OU- or account-specific customizations with minimal manual effort.

Why each option is right or wrong

Service Catalog provisions products, but it is not the native automation path for OU/account customizations and SCP rollout.

B. Deploy CloudFormation stack sets by using the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy a CloudFormation stack set to the organization’s management account to deploy SCPs.

StackSets can deploy CloudFormation resources, but SCPs are Organizations policies, not standard CloudFormation stack resources.

C. Create an Amazon EventBridge rule to detect the CreateManagedAccount event. Configure AWS Service Catalog as the target to deploy resources to any new accounts. Deploy SCPs by using the AWS CLI and JSON documents.

EventBridge can detect account creation, but targeting Service Catalog does not provide the intended Control Tower customization workflow.

D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.

AWS Control Tower’s Customizations for AWS Control Tower (CfCT) is the service feature designed to push both AWS CloudFormation stacks and Service Control Policies to enrolled OUs and accounts, and it operates on accounts provisioned through Account Factory. The implementation is via a source repository such as AWS CodeCommit, where the customization package contains the CloudFormation templates and SCP JSON files; CfCT then automatically applies them to the target OU or account as new accounts are created, avoiding manual post-provisioning steps.

Previous Next