AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs). The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs to notify the company's operations team of any changes. Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Provision the AWS accounts by using AWS Control Tower. Use account drift notifications to identify the changes to the OU hierarchy.

Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the changes to the OU hierarchy.

Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrail organization trail to identify the changes to the OU hierarchy.

Use AWS CloudFormation templates to create accounts in Organizations. Use the drift detection operation on a stack to identify the changes to the OU hierarchy.

Explanation:

Explanation

Correct Answer: B

Why Option B is correct:

AWS Control Tower provides a comprehensive solution for managing multi-account AWS environments with built-in governance and compliance controls.
AWS Config aggregated rules can monitor changes across multiple accounts in an organization. When configured with an organization trail, AWS Config can detect changes to AWS Organizations resources, including OU hierarchy modifications.
AWS Config rules can be configured to trigger notifications (via Amazon SNS) when changes are detected, automatically notifying the operations team.
This solution has the least operational overhead because AWS Control Tower and AWS Config are managed services that work together seamlessly for multi-account governance.

Why other options are incorrect:

A: Account drift notifications in AWS Control Tower primarily monitor deviations from the baseline configuration of accounts, not specifically OU hierarchy changes. This is not the most direct or efficient method for detecting OU changes.

C: While AWS CloudTrail organization trails can log API calls including those to AWS Organizations, this approach requires additional setup to parse logs, create detection logic, and trigger notifications. This has higher operational overhead compared to using AWS Config rules.

D: AWS CloudFormation drift detection is designed to detect differences between the actual deployed resources and the expected stack template configuration. It's not designed to monitor AWS Organizations OU hierarchy changes, and using it for this purpose would be complex and inefficient.

Key AWS Services Involved:

AWS Organizations: Manages multiple AWS accounts
AWS Control Tower: Sets up and governs multi-account environments
AWS Config: Monitors and records configuration changes
Amazon SNS: For notification delivery

This solution provides automated detection and notification with minimal ongoing management, meeting the requirement for least operational overhead.

Powered ByGPT-5.2

Comments

Loading comments...