Table of Contents
How Do AWS Organizations and Control Tower Establish Cloud Governance?
Learn about the foundational AWS services for enterprise-wide governance and control. Understand how AWS Organizations provides central management and how AWS Control Tower automates the deployment of a secure, governed multi-account environment.
Question
Which AWS services are used for enterprise governance and control? (Select TWO.)
A. AWS Service Catalog
B. AWS CloudFormation
C. AWS Organizations
D. AWS Control Tower
E. Amazon CloudWatch
Answer
C. AWS Organizations
D. AWS Control Tower
Explanation
The correct answers are C. AWS Organizations and D. AWS Control Tower. These two services are specifically designed to establish and manage governance at an enterprise scale across a multi-account AWS environment.
C. AWS Organizations: This is the foundational service for enterprise governance. It enables you to centrally manage multiple AWS accounts. Its primary functions include consolidated billing, but more importantly for governance, it allows you to apply policy-based controls. Using Service Control Policies (SCPs), you can enforce permission guardrails on all accounts within your organization, restricting which AWS services and actions are available to users and roles, including the root user of member accounts.
D. AWS Control Tower: This is a higher-level orchestration service that automates the setup of a secure and compliant multi-account environment, often referred to as a landing zone. It builds upon the capabilities of AWS Organizations, AWS Service Catalog, and AWS Config to provide a pre-packaged governance solution. Control Tower establishes a baseline with mandatory and recommended guardrails (both preventive and detective) that help ensure your environment adheres to AWS best practices from the start. It simplifies the process of applying and managing enterprise-wide governance.
Incorrect Options
A. AWS Service Catalog: This service allows you to create and manage catalogs of pre-approved IT services (products) for use on AWS. While it is a tool for enforcing governance on the resources that are deployed, it is not a service for governing the accounts themselves at an enterprise level.
B. AWS CloudFormation: This is an Infrastructure as Code (IaC) service used to model and provision AWS resources. It is a deployment mechanism, not a governance and control service in itself, though it is often used by services like Service Catalog and Control Tower to provision standardized resources.
E. Amazon CloudWatch: This is a monitoring and observability service. It provides data and actionable insights to monitor applications, respond to system-wide performance changes, and optimize resource utilization. While essential for operational awareness, it is not a primary service for establishing central governance policies and controls.
AWS Security Governance at Scale certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the AWS Security Governance at Scale exam and earn AWS Security Governance at Scale certificate.