AWS Certified Solutions Architect – Associate (SAA-C03) — Question 554

A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs).

The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs to notify the company's operations team of any changes.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Provision the AWS accounts by using AWS Control Tower. Use account drift notifications to identify the changes to the OU hierarchy.
• B. Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the changes to the OU hierarchy.
• C. Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrail organization trail to identify the changes to the OU hierarchy.
• D. Use AWS CloudFormation templates to create accounts in Organizations. Use the drift detection operation on a stack to identify the changes to the OU hierarchy.

Correct answer: A

Explanation

AWS Control Tower natively manages OUs and accounts, providing built-in drift detection capabilities that automatically identify when OU structures or landing zones deviate from their intended configuration. This built-in feature generates drift notifications with minimal configuration, ensuring the lowest operational overhead. Other methods involving AWS Config, AWS CloudTrail, or CloudFormation drift detection require significant manual setup and custom integration to achieve the same alerting functionality.