A network engineer is managing a large-scale migration from an on-premises data center to a multi-account environment based on AWS Control Tower. The environment includes a transit gateway deployed in a central network services account, which has been shared with an organization in AWS Organizations using AWS Resource Access Manager (AWS RAM). Additionally, a shared services account hosts workloads that need to be accessible across the entire organization.

The engineer must design a solution to automate the deployment of standard network components across the environment. This solution should provision a VPC for application workloads in each new and existing member account, ensuring these VPCs are connected to the transit gateway in the central network services account.

Which three steps should be combined to fulfill these requirements with minimal operational overhead?

Exam-Like

Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure.

Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.

Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.

Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.

Create an AWSControlTowerBiueprintAccess role in the shared services account.

AWS Certified Advanced Networking - Specialty

Get started today

Comments