AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is AWS Control Tower. This service is designed to automate the setup of a secure, well-architected, multi-account AWS environment called a landing zone. It orchestrates multiple other AWS services, including AWS Organizations, AWS IAM Identity Center, AWS Service Catalog (for the Account Factory), AWS Config, and AWS CloudTrail, to provide a holistic governance solution out of the box. It includes pre-configured preventive and detective guardrails and a dashboard for monitoring compliance, directly addressing all the specified requirements in the most efficient manner.

• Using AWS Organizations with custom CloudFormation templates is a viable but much more labor-intensive approach. It requires the customer to design, build, and maintain the entire landing zone infrastructure and governance logic, which is less efficient than using the managed Control Tower service.
• The AWS Landing Zone solution was a predecessor to AWS Control Tower. It was a solution based on CloudFormation templates and has been superseded by AWS Control Tower, which is the recommended service for new landing zone deployments.
• AWS Security Hub and AWS Config are essential components for security posture management and compliance auditing (detective controls), respectively. While Control Tower uses these services as part of its landing zone, they do not, by themselves, create the multi-account structure, provide an account factory, or establish the foundational landing zone.