Answer-first summary for fast verification
Answer: Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the changes to the OU hierarchy.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **AWS Control Tower** provides a comprehensive solution for managing multi-account AWS environments with built-in governance and compliance controls. 2. **AWS Config aggregated rules** can monitor changes across multiple accounts in an organization. When configured with an organization trail, AWS Config can detect changes to AWS Organizations resources, including OU hierarchy modifications. 3. AWS Config rules can be configured to trigger notifications (via Amazon SNS) when changes are detected, automatically notifying the operations team. 4. This solution has the **least operational overhead** because AWS Control Tower and AWS Config are managed services that work together seamlessly for multi-account governance. **Why other options are incorrect:** **A:** Account drift notifications in AWS Control Tower primarily monitor deviations from the baseline configuration of accounts, not specifically OU hierarchy changes. This is not the most direct or efficient method for detecting OU changes. **C:** While AWS CloudTrail organization trails can log API calls including those to AWS Organizations, this approach requires additional setup to parse logs, create detection logic, and trigger notifications. This has higher operational overhead compared to using AWS Config rules. **D:** AWS CloudFormation drift detection is designed to detect differences between the actual deployed resources and the expected stack template configuration. It's not designed to monitor AWS Organizations OU hierarchy changes, and using it for this purpose would be complex and inefficient. **Key AWS Services Involved:** - **AWS Organizations**: Manages multiple AWS accounts - **AWS Control Tower**: Sets up and governs multi-account environments - **AWS Config**: Monitors and records configuration changes - **Amazon SNS**: For notification delivery This solution provides automated detection and notification with minimal ongoing management, meeting the requirement for least operational overhead.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs). The solutions architect needs a solution that will identify any changes to the OU hierarchy. The solution also needs to notify the company's operations team of any changes. Which solution will meet these requirements with the LEAST operational overhead?
A
Provision the AWS accounts by using AWS Control Tower. Use account drift notifications to identify the changes to the OU hierarchy.
B
Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the changes to the OU hierarchy.
C
Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrail organization trail to identify the changes to the OU hierarchy.
D
Use AWS CloudFormation templates to create accounts in Organizations. Use the drift detection operation on a stack to identify the changes to the OU hierarchy.