Q70 — AWS DOP-C02 Ch.1

Question 70 of 100 | ← Chapter 1

A company selected AWS to host a new application and requires a multi-account strategy. A DevOps engineer created a new AWS account and organization in AWS Organizations, built an OU structure, and set up a Landing Zone using AWS Control Tower. The engineer now needs to implement a solution that automatically deploys resources for new accounts provisioned via AWS Control Tower Account Factory. When a new account is created, the solution must apply OU- or account-specific AWS CloudFormation templates and Service Control Policies (SCPs) to deploy attached resources. All OUs are registered in AWS Control Tower.

Correct Answer: D. Deploy Customizations for AWS Control Tower (CfCT). Use an AWS CodeCommit repository as the source. In the repository, define a custom package containing CloudFormation templates and SCP JSON documents.

Explanation

Customizations for AWS Control Tower (CfCT) is the official, supported framework for extending Control Tower with custom CloudFormation templates and SCPs per OU or account. It integrates natively with Account Factory, automatically applying configurations upon account creation. Option D directly implements CfCT with version-controlled templates in CodeCommit — meeting full automation, customization, and organizational governance requirements. Options A, B, and C lack native integration with Account Factory’s provisioning flow or fail to support OU/account-scoped policies out-of-the-box. Thus, Option D is correct.