An enterprise uses AWS Control Tower. They need to customize the account vending process to automatically deploy a specific third-party security agent on all EC2 instances created in new accounts. What is the BEST approach?

Answer options:

Manually log into each new account and install the agent.

Use Control Tower Account Factory Customization (AFC) or lifecycle events to trigger an AWS Step Functions workflow that deploys the agent via Systems Manager.

Modify the default Control Tower CloudFormation templates.

Use an SCP to enforce the installation of the agent.

How to approach this question

Look for the native extensibility feature of Control Tower.

Full Answer

B.Use Control Tower Account Factory Customization (AFC) or lifecycle events to trigger an AWS Step Functions workflow that deploys the agent via Systems Manager.✓ Correct

Control Tower emits lifecycle events to EventBridge, which can trigger automated workflows to customize new accounts.

Common mistakes

Thinking SCPs can perform actions like installing software.

Question 26 All questions Question 28

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 3

75 questions · hints · full answers · grading

More questions from this exam

Q01An enterprise has 100 VPCs across 5 AWS Regions. They need to establish a highly available, trans...Hard Q02A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside...Medium Q03An application uses Amazon Aurora PostgreSQL. To meet disaster recovery requirements, the databas...Hard Q04A company is setting up a new multi-account AWS environment. They want to automate the creation o...Medium Q05An organization wants to allocate AWS costs to specific departments. They use multiple AWS accoun...Medium

View all 75 questions →