AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 393
A company manages its multi-account environment by using AWS Organizations and AWS Control Tower. The company must deploy standardized security controls and compliance policies across all of its AWS accounts and AWS Regions. Any changes to these controls must be automatically applied to all accounts simultaneously.
The company has the required security controls and compliance policies defined in AWS Cloud Development Kit (AWS CDK) as a security controls construct.
Which solution will deploy these controls across all accounts and Regions with the LEAST operational overhead?
Answer options
- A. Create an AWS CDK app that includes an AWS CloudFormation StackSets construct. Configure the StackSets construct to use the security controls construct as its template. Specify the target accounts and Regions. Create automation to deploy the CDK app to create and manage the CloudFormation stack set.
- B. Create an AWS CDK app that synthesizes an AWS CloudFormation template from the security controls construct. Use Amazon EventBridge to invoke an AWS Lambda function to update a CloudFormation stack set when changes are made to the security controls construct.
- C. Convert the security controls construct to an AWS CloudFormation macro. Create a CloudFormation stack set that references the macro and deploys the macro to all target accounts. Use Organizations to automatically add new accounts to the stack set’s list of target accounts.
- D. Use AWS Control Tower to create a customized landing zone that includes configurations from the security controls construct. Configure AWS Control Tower to automatically enroll new accounts and to apply the landing zone template.
Correct answer: D
Explanation
AWS Control Tower provides a native, managed way to establish a customized landing zone that automatically deploys standardized guardrails and security configurations to all enrolled accounts with the least operational overhead. Using AWS Control Tower ensures that any new accounts are automatically enrolled and receive the required compliance policies without needing custom deployment pipelines. Other options involving manual StackSet management, Lambda functions, or custom CloudFormation macros introduce significant operational complexity and maintenance overhead.