Which solution will meet these requirements in the MOST automated way?
Use AWS Service Catalog with AWS Control Tower. Create portfolios and products in AWS Service Catalog. Grant granular permissions to provision these resources. Deploy SCPs by using the AWS CLI and JSON documents.
Deploy CloudFormation stack sets by using the required templates. Enable automatic deployment. Deploy stack instances to the required accounts. Deploy a CloudFormation stack set to the organization’s management account to deploy SCPs.
Create an Amazon EventBridge rule to detect the CreateManagedAccount event. Configure AWS Service Catalog as the target to deploy resources to any new accounts. Deploy SCPs by using the AWS CLI and JSON documents.
Deploy the Customizations for AWS Control Tower (CfCT) solution. Use an AWS CodeCommit repository as the source. In the repository, create a custom package that includes the CloudFormation templates and the SCP JSON documents.
Explanations:
AWS Service Catalog does not provide the automation needed to automatically apply CloudFormation templates and SCPs upon account creation. Manual steps would be required, and SCPs cannot be fully managed by Service Catalog alone.
CloudFormation StackSets can deploy resources to new accounts, but this setup requires additional scripting to handle SCPs separately and does not fully automate deployment across new accounts in Control Tower.
Amazon EventBridge can detect account creation, but using Service Catalog for deployment requires manual provisioning steps. Additionally, SCP deployment with the CLI is not integrated, making the solution less automated.
The Customizations for AWS Control Tower (CfCT) solution is designed to automate custom resource deployment with AWS Control Tower. It allows centralized deployment of CloudFormation templates and SCPs, meeting the automation needs.