Q15 — AWS DOP-C02 Ch.2

Question 15 of 100 | ← Chapter 2

A company has selected AWS to host a new application and needs to implement a multi-account strategy. A DevOps engineer creates new AWS accounts and an organization in AWS Organizations. The DevOps engineer builds an organizational unit (OU) structure and uses AWS Control Tower to set up guardrails. The DevOps engineer must implement a solution that automatically deploys resources to new accounts created via the AWS Control Tower Account Factory. When a new account is created, the solution must automatically deploy AWS CloudFormation templates and service control policies (SCPs) scoped to the OU or account, attaching additional resources to the account. All OUs are automatically registered in AWS Control Tower.

Correct Answer: D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use AWS CodeCommit as the source repository. In the repository, create a customization package containing CloudFormation templates and SCP JSON documents.

Explanation

The Customizations for AWS Control Tower (CfCT) solution enables infrastructure-as-code management of resources. It uses AWS CodeCommit as a version-controlled repository to store CloudFormation templates and SCP policy files. When a new AWS account is created via the Control Tower Account Factory, CfCT automatically detects the new account and deploys the appropriate resource configurations and SCPs based on the predefined OU structure. Option D leverages AWS Control Tower’s native integration mechanism without requiring external tools (e.g., CLI), manual triggers (e.g., EventBridge), or additional orchestration — ensuring all new accounts automatically inherit customized resources. AWS documentation states CfCT is the standard method to extend Control Tower functionality across accounts and OUs. Other options either rely on external tools or require manual intervention, resulting in lower automation.