A company recently configured AWS Control Tower in its organization in AWS Organizations.…

Question

A company recently configured AWS Control Tower in its organization in AWS Organizations. The company enrolled all existing AWS accounts in AWS Control Tower. The company wants to ensure that all new AWS accounts are automatically enrolled in AWS Control Tower. The company has an existing AWS Step Functions workflow that creates new AWS accounts and performs any actions required as part of account creation. The Step Functions workflow is defined in the same AWS account as AWS Control Tower. Which combination of steps should the company add to the Step Functions workflow to meet these requirements? (Choose two.)

Accepted Answer

Correct answer: C, D. C. Create an AWSControlTowerExecution role in the new AWS account. Configure the role to allow the AWS Control Tower administrator account to assume the role. — D. Call the AWS Service Catalog ProvisionProduct API operation with the details of the new AWS account. — To programmatically enroll an AWS account into AWS Control Tower, the target account must have an IAM role named AWSControlTowerExecution configured to trust the Control Tower administrator account. Additionally, AWS Control Tower utilizes AWS Service Catalog (via the Account Factory) to manage account provisioning, which requires invoking the ProvisionProduct API operation. EventBridge events are used for monitoring rather than initiating account enrollment, and EnableAWSServiceAccess is used for enabling service integration at the organization level.

AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 278

Answer options

Correct answer: C, D

Explanation