Question #1579
A company's solutions architect is designing an AWS multi-account solution that uses AWS Organizations. The solutions architect has organized the company's accounts into organizational units (OUs). The solutions architect needs a solution that will identify any deletion of OUs within the hierarchy. The solution also needs to notify the company's operations team of any such changes. Which solution will meet these requirements with the LEAST operational overhead?
Provision the AWS accounts by using AWS Control Tower. Use account drift notifications to identify the deletion of OUs.
Provision the AWS accounts by using AWS Control Tower. Use AWS Config aggregated rules to identify the deletion of OUs.
Use AWS Service Catalog to create accounts in Organizations. Use an AWS CloudTrail organization trail to identify the deletion of OUs.
Use AWS CloudFormation templates to create accounts in Organizations. Use the drift detection operation on a stack to identify the deletion of OUs.
Explanation
The correct answer is A. AWS Control Tower provides built-in account drift detection, which monitors deviations from the baseline configuration, including OU deletions. This requires no additional setup beyond provisioning accounts via Control Tower, minimizing operational overhead.
Why other options are incorrect:
- B: AWS Config requires manual setup of custom rules and aggregation, increasing complexity.
- C: CloudTrail trails require configuring event monitoring and notifications, adding operational steps.
- D: CloudFormation drift detection only tracks resources defined in stacks, not OUs managed outside templates.
Key Points:
- Control Tower automates governance and drift detection.
- OU deletions are treated as 'drift' in Control Tower's managed environment.
- Built-in notifications reduce manual configuration.
Answer
The correct answer is: A