AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A global enterprise is planning a multi-wave migration of more than 300 on-premises applications to AWS. A centralized cloud center of excellence (CCoE) owns security and compliance, while each business unit will operate its own Dev, Test, and Prod AWS accounts after migration. The CCoE must:
Enforce mandatory preventive and detective controls across every AWS account
Automatically apply baseline networking, central logging, and IAM configuration
Allow business-unit engineers to create additional AWS accounts for later migration waves without opening support tickets
Continuously detect and remediate configuration drift
Keep custom code and ongoing operational overhead to a minimum
Which approach best meets these requirements?
Build a custom landing zone by combining AWS CloudFormation StackSets, AWS Config conformance packs, and scripts that call the Organizations CreateAccount API to vend new accounts for each migration wave.
Deploy AWS Control Tower, create a landing zone with preventive and detective guardrails, and delegate Account Factory access to IAM Identity Center groups so business units can self-provision compliant AWS accounts on demand.
Create an AWS Organization with consolidated billing features only, place every workload in a single shared account, and use IAM permissions boundaries plus AWS Resource Access Manager for team isolation.
Provide one shared AWS account per business unit, enable AWS Config only in the management account for compliance visibility, and standardize deployments through AWS Service Catalog portfolios.
AWS Control Tower sets up a prescriptive landing zone that uses AWS Organizations, IAM Identity Center, Service Catalog, and optional guardrails to deliver preventive and detective controls across all accounts. Guardrails are implemented with SCPs and AWS Config rules, and the service's drift-detection dashboard continuously monitors compliance. Account Factory lets authorized IAM Identity Center groups provision new, fully compliant accounts without needing the management account or bespoke scripts. Because the orchestration is managed by the service, operational overhead is low.
Creating an AWS Organization with only consolidated billing features prevents the use of SCPs, so mandatory guardrails cannot be enforced. Building a fully custom landing zone can meet the technical requirements but requires significant custom code and ongoing maintenance, which the scenario explicitly seeks to avoid. Placing workloads in a small number of shared accounts and relying on AWS Config only in the management account provides neither strong isolation nor centralized, preventive controls.
Therefore, deploying AWS Control Tower with delegated Account Factory access is the most appropriate governance model.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Control Tower, and why is it suitable for this scenario?
Open an interactive chat with Bash
What are guardrails in AWS Control Tower, and how do they enforce compliance?
Open an interactive chat with Bash
How does Account Factory simplify account creation and management?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access