AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 186

A company has an AWS Control Tower landing zone that manages its organization in AWS Organizations. The company created an OU structure that is based on the company's requirements. The company's DevOps team has established the core accounts for the solution and an account for all centralized AWS CloudFormation and AWS Service Catalog solutions.

The company wants to offer a series of customizations that an account can request through AWS Control Tower.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Enable trusted access for CloudFormation with Organizations by using service-managed permissions.
• B. Create an IAM role that is named AWSControlTowerBlueprintAccess. Configure the role with a trust policy that allows the AWSControlTowerAdmin role in the management account to assume the role. Attach the AWSServiceCatalogAdminFullAccess IAM policy to the AWSControlTowerBlueprintAccess role.
• C. Create a Service Catalog product for each CloudFormation template.
• D. Create a CloudFormation stack set for each CloudFormation template. Enable automatic deployment for each stack set. Create a CloudFormation stack instance that targets specific OUs.
• E. Deploy the Customizations for AWS Control Tower (CfCT) CloudFormation stack.
• F. Create a CloudFormation template that contains the resources for each customization.

Correct answer: B, C, F

Explanation

The correct steps involve creating an IAM role with the required permissions (B), developing Service Catalog products for the CloudFormation templates (C), and establishing CloudFormation templates for the customizations (F). Options A, D, and E are not necessary for the specified requirements and do not directly contribute to offering the customizations through AWS Control Tower.