AWS Certified DevOps Engineer – Professional — Question 167

A large company has acquired a small company. The large company has an organization in AWS Organizations. The large company needs to integrate the small company’s single AWS account into the organization with minimal impact to the applications that are deployed in the small company's account.

The large company has deployed AWS Control Tower in its organization and wants to enroll the small company’s account in AWS Control Tower. The large company’s AWS Control Tower configuration includes a security OU, a sandbox OU, and a new destination OU that is set up for the small company's migration. Each company is using AWS Config as part of its account management strategy.

Which combination of steps should a DevOps engineer take lo meet these requirements? (Choose two.)

Answer options

• A. Create a landing zone in the security OU of the large company's AWS Control Tower landing zone. Provide the account's email address, the account owners first and last name, and the name of the landing zone created in the security OU to complete the AWS Control Tower Account Factory enrollment request.
• B. Create and apply SCPs in the destination OU to restrict the types of resources that can be created in the small company’s account. Assess the impact of the applied SCPs on the small company's account. Delete existing SCPs in the small company’s account.
• C. Create an AWS Config conformance pack that contains the policies that are currently applied to the large company's account. Use AWS Config to assess the impact that enrollment in AWS Control Tower will have on the small company's account. Delete the configuration recorder and delivery channels from the AWS Config settings of the small company's account.
• D. Enroll the OU of the small company's account in the large company’s AWS Control Tower environment. Specify the destination OU in the large company's AWS Control Tower landing zone as the receiving OU in the request.
• E. Create an AWSControlTowerExecution role in the small company's account. Provide the account's email address, the account owner's first and last name, and the destination OU to complete the AWS Control Tower Account Factory enrollment request.

Correct answer: B, E

Explanation

The correct answers are B and E. Option B involves creating and applying Service Control Policies (SCPs) to ensure that the smaller company's account adheres to compliance while assessing the impact, which is crucial for integration. Option E is necessary for setting up the AWSControlTowerExecution role in the smaller company's account, enabling it to be properly enrolled in AWS Control Tower. Options A, C, and D do not address the specific requirements for minimal impact or do not involve the necessary role creation.