Which solution will meet this requirement?
In the organization’s management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Lambda function that enables trusted access to AWS Config for the organization.
In the organization’s management account, create an AWS CloudFormation stack set to enable AWS Config. Configure the stack set to deploy automatically when an account is created through Organizations.
In the organization’s management account, create an SCP that allows the appropriate AWS Config API calls to enable AWS Config. Apply the SCP to the root-level OU.
In the organization’s management account, create an Amazon EventBridge rule that reacts to a CreateAccount API call. Configure the rule to invoke an AWS Systems Manager Automation runbook to enable AWS Config for the account.
Explanations:
An Amazon EventBridge rule that reacts to a CreateAccount API call could invoke a Lambda function, but enabling AWS Config requires trusted access and a more direct method. Lambda is not ideal for automatically enabling AWS Config across multiple accounts in a scalable manner.
Using AWS CloudFormation stack sets is the most efficient and scalable approach to automatically enable AWS Config in new accounts. When an account is created in AWS Organizations, the stack set can deploy resources, including AWS Config, to those accounts.
An SCP (Service Control Policy) can restrict or allow specific actions, but it cannot automatically enable AWS Config across accounts. SCPs are used for controlling permissions, not for setting up services like AWS Config.
While Amazon EventBridge can trigger actions on account creation, using an AWS Systems Manager Automation runbook to enable AWS Config is not the most efficient or automated way compared to CloudFormation stack sets, which are designed for this type of use case.