Q53 — AWS DOP-C02 Ch.1
Question 53 of 100 | ← Chapter 1
A company has enabled AWS Organizations for its organization and has 10 AWS accounts. The company has enabled AWS CloudTrail in the organization’s management account. The company expects the number of AWS accounts in the organization to grow to 500 within a year and plans to use multiple OUs. The company has already enabled AWS Config in each existing AWS account. A DevOps engineer needs to implement a solution that automatically enables AWS Config for any new AWS accounts created in the organization.
- A. In the organization’s management account, create an Amazon EventBridge rule to respond to CreateAccount API calls. Configure the rule to invoke an AWS Lambda function that enables AWS Config with trusted access.
- B. In the organization’s management account, create an AWS CloudFormation StackSet to enable AWS Config. Configure the StackSet to automatically deploy when accounts are created through the organization. ✓
- C. In the organization’s management account, create a Service Control Policy (SCP) that allows the appropriate AWS Config API calls to enable AWS Config. Apply the SCP to the root-level OU.
- D. In the organization’s management account, create an Amazon EventBridge rule to respond to CreateAccount API calls. Configure the rule to invoke an AWS Systems Manager Automation runbook to enable AWS Config for the account.
Correct Answer: B. In the organization’s management account, create an AWS CloudFormation StackSet to enable AWS Config. Configure the StackSet to automatically deploy when accounts are created through the organization.
Explanation
AWS CloudFormation StackSets are purpose-built to deploy stacks across multiple accounts and regions, including automatic deployment to newly created accounts in AWS Organizations. This is the native, declarative, and scalable mechanism for ensuring consistent service enablement (like AWS Config) across hundreds of accounts. Option B directly satisfies the requirement with minimal operational overhead. Options A and D rely on reactive event-driven automation, requiring additional error handling, permissions, and maintenance. Option C is incorrect because SCPs control permissions—they cannot enable services. Therefore, Option B is the correct and recommended solution.