AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to use AWS Control Tower. AWS Control Tower is a managed service that automates the setup of a secure, multi-account AWS environment called a landing zone. It directly addresses all the requirements by orchestrating several other AWS services. It uses AWS Organizations to create the multi-account structure, applies preventative guardrails through Service Control Policies (SCPs) to block actions like disabling CloudTrail, and deploys detective guardrails using AWS Config rules to monitor for non-compliance. Furthermore, it establishes an 'Account Factory' which utilizes AWS Service Catalog to provide a self-service portal for provisioning new accounts that automatically inherit all the defined governance policies.

Using AWS Organizations with custom Lambda functions is a manual, bespoke approach, not a managed service. While it can achieve a similar outcome, it requires significant development and maintenance effort, contrary to the goal of using a managed solution.

Using only AWS Service Catalog with AWS CloudFormation templates is incomplete. This approach lacks the centralized, preventative enforcement at the organization level that SCPs provide. IAM policies within an account can be altered by administrators of that account, whereas SCPs set at the organizational unit level cannot be overridden by member accounts.

The AWS Landing Zone solution was a template-based predecessor to AWS Control Tower. While it provided similar functionality, it is no longer recommended by AWS for setting up new multi-account environments; AWS Control Tower is the current, managed service that supersedes it.