Which solution will meet these requirements in the MOST automated way?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company has chosen AWS to host a new application.The company needs to implement a multi-account strategy.A DevOps engineer creates a new AWS account and an organization in AWS Organizations.The DevOps engineer also creates the OU structure for the organization and sets up a landing zone by using AWS Control Tower.The DevOps engineer must implement a solution that automatically deploys resources for new accounts that users create through AWS Control Tower Account Factory.When a user creates a new account, the solution must apply AWS CloudFormation templates and SCPs that are customized for the OU or the account to automatically deploy all the resources that are attached to the account.All the OUs are enrolled in AWS Control Tower.

Which solution will meet these requirements in the MOST automated way?

Use AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog. Grant granular permissions to provision these resources. Deploy SCPs by using the AWS CLI and JSON documents.

Deploy CloudFormation stack sets by using the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy a CloudFormation stack set to the organization’s management account to deploy SCPs.

Create an Amazon EventBridge rule to detect the CreateManagedAccount event. Configure AWS Service Catalog as the target to deploy resources to any new accounts. Deploy SCPs by using the AWS CLI and JSON documents.

Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.

Explanations:

AWS Service Catalog does not provide the automation needed to automatically apply CloudFormation templates and SCPs upon account creation. Manual steps would be required, and SCPs cannot be fully managed by Service Catalog alone.

CloudFormation StackSets can deploy resources to new accounts, but this setup requires additional scripting to handle SCPs separately and does not fully automate deployment across new accounts in Control Tower.

Amazon EventBridge can detect account creation, but using Service Catalog for deployment requires manual provisioning steps. Additionally, SCP deployment with the CLI is not integrated, making the solution less automated.

The Customizations for AWS Control Tower (CfCT) solution is designed to automate custom resource deployment with AWS Control Tower. It allows centralized deployment of CloudFormation templates and SCPs, meeting the automation needs.

2025-10-10

1 Comment

  1. Arthur
    Author

    My best guess is:
    Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − sixteen =