Q35 — AWS DOP-C02 Ch.1
Question 35 of 100 | ← Chapter 1
A company has begun using AWS across multiple teams. Each team operates multiple accounts with unique security configurations. The company manages an organizational account aligned with industry security compliance frameworks. Each account maintains its own configuration and security controls. The development team wants to leverage preventive and detective controls to govern their accounts. As the company creates new accounts in the organization, the security team needs to ensure ongoing security for both current and future accounts.
- A. Use Organizations to create appropriate OUs and attach appropriate SCPs for each team. Place team accounts in appropriate OUs for security control. Create any new team accounts in the appropriate OUs.
- B. Create an AWS Control Tower landing zone. Configure OUs and appropriate controls in AWS Control Tower for existing teams. Configure trusted access for AWS Control Tower. Register existing accounts into appropriate OUs matching each team’s security policies. Use AWS Control Tower to provision any new accounts. ✓
- C. Create AWS CloudFormation StackSets in the organization’s management account. Configure the StackSet to deploy AWS Config rules and remediation actions to every account in the organization. Update the StackSet upon new account creation to deploy to the new account.
- D. Deploy AWS Config to manage AWS Config rules across all AWS accounts in the organization. Deploy conformance packs that deliver AWS Config rules and remediation actions across the entire organization.
Correct Answer: B. Create an AWS Control Tower landing zone. Configure OUs and appropriate controls in AWS Control Tower for existing teams. Configure trusted access for AWS Control Tower. Register existing accounts into appropriate OUs matching each team’s security policies. Use AWS Control Tower to provision any new accounts.
Explanation
AWS Control Tower is purpose-built for multi-account governance, providing a preconfigured landing zone with built-in guardrails (preventive and detective controls), OU-based policy inheritance, and automated account provisioning. By registering existing accounts into appropriately configured OUs and provisioning new accounts through Control Tower, security policies—including SCPs, Config rules, and remediation workflows—are automatically applied consistently. This meets the requirement for continuous, scalable security governance across both existing and future accounts. Other options lack native integration, automation for new accounts, or standardized guardrail enforcement.