AWS Control Tower 101

Within an AWS Control Tower Landing Zone architecture, what is the specific operational purpose of the dynamically provisioned "Log Archive Account"?

A) It serves as a secure, centralized read-only repository where all AWS Config and CloudTrail logs from enrolled member accounts are consolidated and stored indefinitely.
B) It hosts the central Active Directory Federation Services (ADFS) servers required for Single Sign-On across the organization.
C) It automatically applies Detective Guardrails using continuous integration pipelines to prevent malicious API activity.
D) It acts as a dedicated environment strictly for developers to safely test experimental CloudFormation templates before production deployment.
E) It automatically stores all application-level custom logs generated by EC2 instances using the Unified CloudWatch Agent.
F) It provides a localized billing namespace where consolidated invoices are generated and archived for compliance auditors.

Correct Answer: A - It serves as a secure, centralized read-only repository where all AWS Config and CloudTrail logs from enrolled member accounts are consolidated and stored indefinitely.

When defining multi-account governance rules within AWS Control Tower, what is the fundamental functional distinction between a "Preventative Guardrail" and a "Detective Guardrail"?

A) Preventative Guardrails evaluate Web Identity Federation tokens, whereas Detective Guardrails evaluate on-premises Active Directory tokens.
B) Preventative Guardrails actively block non-compliant actions from occurring using SCPs, whereas Detective Guardrails use AWS Config Rules to identify and report existing non-compliant resources without blocking them.
C) Preventative Guardrails utilize temporary STS credentials to mask errors, whereas Detective Guardrails enforce permanent IAM User policy restrictions.
D) Preventative Guardrails are applied exclusively to the centralized Management Account, whereas Detective Guardrails are applied explicitly to the underlying Sandbox OUs.
E) Preventative Guardrails monitor real-time network traffic via VPC Flow Logs, whereas Detective Guardrails block unauthorized inbound traffic using Security Groups.
F) There is no functional distinction; both rely entirely on AWS CloudTrail to immediately roll back non-compliant IAM role assumptions.

Correct Answer: B - Preventative Guardrails actively block non-compliant actions from occurring using SCPs, whereas Detective Guardrails use AWS Config Rules to identify and report existing non-compliant resources without blocking them.

What is a simple and technically accurate definition of the AWS Control Tower service?

A) A specialized JSON-based declarative language used to enforce strict geographic boundaries on data residency within Amazon S3 buckets.
B) A serverless compute orchestration tool that automatically chains AWS Lambda functions together to generate temporary IAM user credentials.
C) An orchestration service that automates the setup, governance, and centralized management of a secure, multi-account AWS environment, often described as "Organizations with superpowers."
D) An internal VPC routing service that securely connects isolated member accounts without traversing the public internet namespace.
E) A continuous integration pipeline designed specifically to automatically rotate hardcoded access keys within legacy on-premises applications.
F) A globally distributed DNS caching service explicitly designed to reduce the latency of Single Sign-On authentications.

Correct Answer: C - An orchestration service that automates the setup, governance, and centralized management of a secure, multi-account AWS environment, often described as "Organizations with superpowers."

During the initial deployment of an AWS Control Tower environment, the system automatically provisions several architectural components. Which two specific entities are typically created inside the Foundational (Security) Organizational Unit?

A) The Production Account and the Staging Account.
B) The Shared Services Account and the Network Transit Account.
C) The Central Billing Account and the IAM Identity Center Master Account.
D) The Audit Account and the Log Archive Account.
E) The Account Factory Automation Role and the Break-Glass Emergency Account.
F) The Development Sandbox Account and the Quality Assurance (QA) Account.

Correct Answer: D - The Audit Account and the Log Archive Account.

A security administrator enables a Detective Guardrail in Control Tower designed to verify whether any EC2 instances possess a public IPv4 address. What happens if an instance with a public IP is discovered?

A) The Control Tower orchestration engine uses Service Control Policies (SCPs) to instantly terminate the non-compliant EC2 instance.
B) The Guardrail's state explicitly changes to "In Violation", acting as a compliance check without actively interrupting the instance's operation.
C) The underlying Account Factory automatically provisions a new, compliant instance and redirects DNS traffic to it to prevent downtime.
D) The Guardrail invokes an immediate "Explicit Deny" on the iam:PassRole API, temporarily suspending the underlying developer's access.
E) The instance is automatically migrated into the isolated Audit Account until a manual security review is performed.
F) The Guardrail modifies the instance's associated Security Group to permanently block all incoming HTTP and HTTPS traffic on port 80 and 443.

Correct Answer: B - The Guardrail's state explicitly changes to "In Violation", acting as a compliance check without actively interrupting the instance's operation.

An enterprise development team frequently requires new, fully isolated AWS accounts for isolated application testing. They want these accounts to be provisioned with standard network configurations and compliance rules applied automatically. Which native AWS Control Tower feature perfectly fulfills this architectural requirement?

A) Web Identity Federation
B) Account Permissions Boundaries
C) AWS Account Factory
D) Service-Linked Roles
E) Centralized Log Streaming
F) The Foundational Audit Account

Correct Answer: C - AWS Account Factory

Which underlying AWS service provides the native technical mechanism that enables Preventative Guardrails in AWS Control Tower to actively block non-compliant API actions across multiple member accounts?

A) AWS Config Rules
B) Service Control Policies (SCPs) within AWS Organizations
C) AWS CloudTrail Event History Hooks
D) Resource-Based Policies attached to the Organizational Root
E) IAM Identity Center (Single Sign-On) Permission Sets
F) Amazon EventBridge Rule Triggers

Correct Answer: B - Service Control Policies (SCPs) within AWS Organizations

What is the specific architectural purpose of the Control Tower "Audit Account" within the foundational security structure?

A) To provide a heavily restricted sandbox environment where software developers can safely test highly privileged cross-account IAM roles.
B) To serve as the primary Identity Provider (IdP), natively federating all incoming Active Directory requests to temporary STS credentials.
C) To act as the centralized hub for executing automated billing consolidation scripts and processing cross-account volume discounts.
D) To permanently archive all unaltered VPC Flow Logs and Route 53 queries into encrypted Amazon Glacier storage vaults.
E) To provide a dedicated, secure environment for security and compliance teams (or third-party tools) to actively audit the overall multi-account environment and receive centralized governance notifications.
F) To automatically generate temporary "Break-Glass" IAM credentials for emergency out-of-band administrative interventions across the entire landing zone.

Correct Answer: E - To provide a dedicated, secure environment for security and compliance teams (or third-party tools) to actively audit the overall multi-account environment and receive centralized governance notifications.

AWS Control Tower does not function as an isolated service; rather, it orchestrates multiple underlying AWS products to create the Landing Zone. Which combination of services is explicitly integrated and automated by Control Tower to provide identity and logging capabilities?

A) IAM Identity Center (SSO), AWS CloudTrail, and AWS Config.
B) Amazon Route 53, Amazon CloudFront, and AWS WAF.
C) AWS Direct Connect, Amazon VPC Transit Gateways, and VPN endpoints.
D) Amazon Elastic Compute Cloud (EC2), AWS Lambda, and Amazon DynamoDB.
E) Amazon Simple Email Service (SES), Amazon WorkMail, and AWS Secrets Manager.
F) AWS Elastic Beanstalk, AWS CodePipeline, and Amazon Elastic Container Service (ECS).

Correct Answer: A - IAM Identity Center (SSO), AWS CloudTrail, and AWS Config.

When utilizing the AWS Account Factory within Control Tower to provision new member environments, which of the following statements represents a significant operational benefit and best practice?

A) It entirely circumvents the need for IAM users, requiring developers to log in exclusively using the native Root Account credentials for their specific workspace.
B) It automatically bypasses the mandatory "Log Archive Account," significantly lowering data ingestion costs for short-lived development environments.
C) It can be integrated directly into a Software Development Lifecycle (SDLC) via APIs, allowing new, compliant AWS accounts to be auto-provisioned as code moves through stages.
D) It enables administrators to construct nested Organizational Units (OUs) that extend up to 25 levels deep to map complex corporate hierarchies precisely.
E) It automatically converts all newly provisioned accounts into Management Accounts, distributing administrative liability dynamically across the entire organization.
F) It allows the explicit deletion of the Home Region, migrating the central landing zone architecture dynamically to whichever region is experiencing the lowest latency.

Correct Answer: C - It can be integrated directly into a Software Development Lifecycle (SDLC) via APIs, allowing new, compliant AWS accounts to be auto-provisioned as code moves through stag