Q15 — AWS DOP-C02 Ch.2
Question 15 of 100 | ← Chapter 2
A company has selected AWS to host a new application and needs to implement a multi-account strategy. A DevOps engineer creates new AWS accounts and an organization in AWS Organizations. The DevOps engineer builds an organizational unit (OU) structure and uses AWS Control Tower to set up guardrails. The DevOps engineer must implement a solution that automatically deploys resources to new accounts created via the AWS Control Tower Account Factory. When a new account is created, the solution must automatically deploy AWS CloudFormation templates and service control policies (SCPs) scoped to the OU or account, attaching additional resources to the account. All OUs are automatically registered in AWS Control Tower.
- A. Use AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog. Grant fine-grained permissions to provision these resources. Deploy SCPs using the AWS CLI and JSON documents.
- B. Deploy CloudFormation stack sets with the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy CloudFormation stack sets from the organization’s management account to deploy SCPs.
- C. Create an Amazon EventBridge rule to detect CreateManagedAccount events. Configure AWS Service Catalog to deploy resources to any new account. Deploy SCPs using the AWS CLI and JSON documents.
- D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use AWS CodeCommit as the source repository. In the repository, create a customization package containing CloudFormation templates and SCP JSON documents. ✓
Correct Answer: D. Deploy the Customizations for AWS Control Tower (CfCT) solution. Use AWS CodeCommit as the source repository. In the repository, create a customization package containing CloudFormation templates and SCP JSON documents.
Explanation
The Customizations for AWS Control Tower (CfCT) solution enables infrastructure-as-code management of resources. It uses AWS CodeCommit as a version-controlled repository to store CloudFormation templates and SCP policy files. When a new AWS account is created via the Control Tower Account Factory, CfCT automatically detects the new account and deploys the appropriate resource configurations and SCPs based on the predefined OU structure. Option D leverages AWS Control Tower’s native integration mechanism without requiring external tools (e.g., CLI), manual triggers (e.g., EventBridge), or additional orchestration — ensuring all new accounts automatically inherit customized resources. AWS documentation states CfCT is the standard method to extend Control Tower functionality across accounts and OUs. Other options either rely on external tools or require manual intervention, resulting in lower automation.