Topic 1 Question 303
2 つ選択A company recently configured AWS Control Tower in its organization in AWS Organizations. The company enrolled all existing AWS accounts in AWS Control Tower. The company wants to ensure that all new AWS accounts are automatically enrolled in AWS Control Tower.
The company has an existing AWS Step Functions workflow that creates new AWS accounts and performs any actions required as part of account creation. The Step Functions workflow is defined in the same AWS account as AWS Control Tower.
Which combination of steps should the company add to the Step Functions workflow to meet these requirements?
Create an Amazon EventBridge event that has an aws.controltower source and a CreateManagedAccount detail-type. Add the details of the new AWS account to the detail field of the event.
Create an Amazon EventBridge event that has an aws.controltower source and a SetupLandingZone detail-type. Add the details of the new AWS account to the detail field of the event.
Create an AWSControlTowerExecution role in the new AWS account. Configure the role to allow the AWS Control Tower administrator account to assume the role.
Call the AWS Service Catalog ProvisionProduct API operation with the details of the new AWS account.
Call the Organizations EnableAWSServiceAccess API operation with the controltower.amazonaws.com service name and the details of the new AWS account.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: CD
Option Details:
1. C. Create an AWSControlTowerExecution role: • AWS Control Tower requires an AWSControlTowerExecution role in new accounts. • This role allows AWS Control Tower to assume control of the account and apply the necessary guardrails, policies, and configurations. • Without this role, AWS Control Tower cannot manage the account. 2. D. Call the AWS Service Catalog ProvisionProduct API operation: • Account Factory uses AWS Service Catalog to create and enroll new accounts into AWS Control Tower. • The ProvisionProduct API operation allows programmatic provisioning of new accounts through Account Factory, ensuring enrollment into Control Tower governance.👍 4Ky_242024/12/15 Answer: CE WSControlTowerExecution Role (Option C): For AWS Control Tower to manage accounts, each account must have the AWSControlTowerExecution role, which allows the AWS Control Tower administrator account to assume the role and apply required policies and controls. Creating this role in the new account enables Control Tower to perform management operations as needed.
Service Catalog ProvisionProduct API (Option D): AWS Control Tower uses AWS Service Catalog products to provision and manage accounts. Calling the ProvisionProduct API operation as part of the Step Functions workflow allows the new account to be enrolled in Control Tower by provisioning it through the appropriate Service Catalog product. This step ensures that the new account is enrolled in the AWS Control Tower landing zone.
👍 3f4b18ba2024/11/17- 正解だと思う選択肢: CD
Download the python code and you will see it calls the ProvisionProduct API in method provision_sc_product
👍 3CHRIS127222222024/12/27
シャッフルモード