🔥 3-day streak
AWS Certified Security - Specialty41 / 184
Question 41 of 184

A financial services company uses AWS Control Tower to govern a multi-account environment with over 80 accounts across several OUs. The security team requires that every newly provisioned account automatically receives a standardized set of baseline resources: a hardened VPC configuration, a specific IAM role for the SOC team, and an SNS topic subscription for security notifications. These resources are not covered by Control Tower guardrails or SCPs. The team wants this to happen automatically whenever Account Factory creates a new account, with minimal manual intervention. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issueNext question