A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs).
The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs to notify the company's operations team of any changes.
Which solution will meet these requirements with the LEAST operational overhead?
AWS Control Tower is a service designed specifically to manage multiple AWS accounts and provide governance and best practices for those accounts. One of the features of Control Tower is account drift notifications, which automatically detect and notify administrators of any changes to the account configurations, including changes to the organizational unit (OU) hierarchy. This functionality minimizes operational overhead as it is built-in and does not require additional configuration or maintenance, which would be necessary with solutions like AWS Config, AWS CloudTrail, or AWS CloudFormation.
The key advantages you highlight of Control Tower are convincing: Fully managed service simplifies multi-account setup. Built-in account drift notifications detect OU changes automatically. More scalable and less complex than Config rules or CloudTrail. Better security and compliance guardrails than custom options. Lower operational overhead compared to other solution
A is correct. https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html https://docs.aws.amazon.com/controltower/latest/userguide/prevention-and-notification.html
This was in my exam today..I selected Answer A
what percentage of all these questions would you say were in the exam?
I read in one of the earlier questions, its around 75%, someone who gave the exam said so
AWS Config helps you maintain a detailed inventory of your resources and their configurations, track changes over time, and ensure compliance with your organization's policies and industry regulations.
Furthermore, AWS Config Aggregated Rules are a feature within AWS Config that enables you to evaluate compliance with desired configurations or compliance standards across multiple AWS accounts and regions. They are particularly useful in scenarios where you want to enforce consistent rules and compliance checks across an entire organization with multiple AWS accounts.
NVM - This is such a stupid question lol changing my answer to A due to the following: Account drift notifications in AWS are a feature provided by AWS Control Tower. These notifications help organizations identify and respond to changes made to an AWS account that deviate from the established baseline configuration created during the initial setup by AWS Control Tower. Drift refers to any configuration changes that have been made to an AWS account after it was provisioned by Control Tower.
https://docs.aws.amazon.com/controltower/latest/userguide/prevention-and-notification.html
AWS Control Tower provides passive and active methods of drift monitoring protection for preventive controls.
A https://docs.aws.amazon.com/controltower/latest/userguide/drift.html
Create Accounts using AWS Service Catalog: Utilize AWS Service Catalog to provision AWS accounts within AWS Organizations. This ensures standardized account creation and management. Enable AWS CloudTrail Organization Trail: Set up an AWS CloudTrail organization trail that records all API calls across all accounts in the organization. This trail will capture changes to the OU hierarchy, including any modifications to organizational units.