Q70 — AWS DOP-C02 Ch.1
Question 70 of 100 | ← Chapter 1
A company selected AWS to host a new application and requires a multi-account strategy. A DevOps engineer created a new AWS account and organization in AWS Organizations, built an OU structure, and set up a Landing Zone using AWS Control Tower. The engineer now needs to implement a solution that automatically deploys resources for new accounts provisioned via AWS Control Tower Account Factory. When a new account is created, the solution must apply OU- or account-specific AWS CloudFormation templates and Service Control Policies (SCPs) to deploy attached resources. All OUs are registered in AWS Control Tower.
- A. Integrate AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog and grant fine-grained permissions for provisioning. Deploy SCPs using AWS CLI and JSON documents.
- B. Deploy CloudFormation StackSets with required templates. Enable automatic deployment and deploy stack instances to target accounts. Deploy SCPs via CloudFormation StackSets in the organization’s management account.
- C. Create an Amazon EventBridge rule to detect CreateManagedAccount events. Configure AWS Service Catalog to deploy resources to new accounts. Deploy SCPs using AWS CLI and JSON documents.
- D. Deploy Customizations for AWS Control Tower (CfCT). Use an AWS CodeCommit repository as the source. In the repository, define a custom package containing CloudFormation templates and SCP JSON documents. ✓
Correct Answer: D. Deploy Customizations for AWS Control Tower (CfCT). Use an AWS CodeCommit repository as the source. In the repository, define a custom package containing CloudFormation templates and SCP JSON documents.
Explanation
Customizations for AWS Control Tower (CfCT) is the official, supported framework for extending Control Tower with custom CloudFormation templates and SCPs per OU or account. It integrates natively with Account Factory, automatically applying configurations upon account creation. Option D directly implements CfCT with version-controlled templates in CodeCommit — meeting full automation, customization, and organizational governance requirements. Options A, B, and C lack native integration with Account Factory’s provisioning flow or fail to support OU/account-scoped policies out-of-the-box. Thus, Option D is correct.