Which solution will meet these requirements with the LEAST operational overhead?
Create an AWS Control Tower Account Factory Customization (AFC) blueprint that uses the baseline configuration. Use AWS Control Tower Account Factory to provision a dedicated AWS account for each environment and a CI/CD account by using the blueprint.
Use AWS Control Tower Account Factory to provision a dedicated AWS account for each environment and a CI/CD account. Use AWS CloudFormation StackSets to apply the baseline configuration to the new accounts.
Use Organizations to provision a multi-environment AWS account and a CI/CD account. In the Organizations management account, create an AWS Lambda function that assumes the Organizations access role to apply the baseline configuration to the new accounts.
Use Organizations to provision a dedicated AWS account for each environment, an audit account, and a CI/CD account. Use AWS CloudFormation StackSets to apply the baseline configuration to the new accounts.
Explanations:
AWS Control Tower Account Factory Customization (AFC) allows creating accounts with a predefined baseline configuration. This integrates directly with AWS Control Tower and minimizes operational overhead by automating account provisioning and configuration with guardrails.
AWS Control Tower Account Factory can provision the accounts, but using AWS CloudFormation StackSets separately would add unnecessary complexity and overhead for the baseline configuration. Control Tower already automates these steps.
While Organizations can provision accounts, using a custom AWS Lambda function adds complexity and increases operational overhead compared to using the built-in AWS Control Tower features.
Similar to Option B, using AWS CloudFormation StackSets with Organizations adds complexity and doesn’t leverage the full capabilities of AWS Control Tower to automate account provisioning and baseline configuration.