Q35 — AWS DOP-C02 Ch.1

Question 35 of 100 | ← Chapter 1

A company has begun using AWS across multiple teams. Each team operates multiple accounts with unique security configurations. The company manages an organizational account aligned with industry security compliance frameworks. Each account maintains its own configuration and security controls. The development team wants to leverage preventive and detective controls to govern their accounts. As the company creates new accounts in the organization, the security team needs to ensure ongoing security for both current and future accounts.

Correct Answer: B. Create an AWS Control Tower landing zone. Configure OUs and appropriate controls in AWS Control Tower for existing teams. Configure trusted access for AWS Control Tower. Register existing accounts into appropriate OUs matching each team’s security policies. Use AWS Control Tower to provision any new accounts.

Explanation

AWS Control Tower is purpose-built for multi-account governance, providing a preconfigured landing zone with built-in guardrails (preventive and detective controls), OU-based policy inheritance, and automated account provisioning. By registering existing accounts into appropriately configured OUs and provisioning new accounts through Control Tower, security policies—including SCPs, Config rules, and remediation workflows—are automatically applied consistently. This meets the requirement for continuous, scalable security governance across both existing and future accounts. Other options lack native integration, automation for new accounts, or standardized guardrail enforcement.