Question 224 of 1,546
Deployment, Provisioning, and AutomationmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct solution is to create an AWS CloudFormation StackSet with the template containing the AWS Config rules and SNS topic, then configure the StackSet to deploy to the organization and enable automatic deployment to new accounts. This works because StackSets allow you to centrally manage infrastructure across multiple accounts and Regions from a single management account, and when you enable automatic deployment for an organization or organizational unit, any new member account added to AWS Organizations is automatically targeted by the StackSet. On the SOA-C02 exam, this scenario tests your understanding of how to enforce governance at scale without manual intervention, and a common trap is choosing Service Catalog or a simple CloudFormation stack, which lack the automatic targeting of new accounts. Remember the key phrase: StackSets + Organizations + automatic deployment = hands-off baseline compliance.

SOA-C02 Deployment, Provisioning, and Automation Practice Question

This SOA-C02 practice question tests your understanding of deployment, provisioning, and automation. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: cloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company manages multiple AWS accounts under AWS Organizations. The SysOps administrator needs to deploy a baseline set of AWS Config rules and an Amazon SNS topic to each account in the organization. The deployment must be centrally managed from the management account and automatically applied to any new member account added in the future. Which solution should the administrator use?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create an AWS CloudFormation StackSet with the template containing the AWS Config rules and SNS topic. Configure the StackSet to deploy to the organization and enable automatic deployment to new accounts.

AWS CloudFormation StackSets can be deployed to an entire AWS Organizations organization or organizational units (OUs), and they support automatic deployment to new accounts added to the organization. By creating a StackSet with a template that defines the AWS Config rules and SNS topic, and enabling automatic deployment, the administrator ensures that every current and future member account receives the baseline configuration without manual intervention.

Key principle: CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create an AWS CloudFormation StackSet with the template containing the AWS Config rules and SNS topic. Configure the StackSet to deploy to the organization and enable automatic deployment to new accounts.

    Why this is correct

    CloudFormation StackSets can centrally deploy stacks to accounts in AWS Organizations. With automatic deployment enabled, new accounts added to the organization will automatically receive the stack.

    Related concept

    CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.

  • Use AWS Service Catalog to create a product that bundles the AWS Config rules and SNS topic. Grant each account access to launch the product.

    Why it's wrong here

    AWS Service Catalog requires each account to manually launch the product. It does not automatically deploy to new accounts, and it is not primarily designed for cross-account deployment of a baseline configuration.

  • Configure AWS Config conformance packs in the management account and use AWS Resource Access Manager to share them with member accounts.

    Why it's wrong here

    Conformance packs are a feature of AWS Config but must be deployed per account and Region. AWS RAM does not share Config rules or resources like SNS topics in this manner.

  • Create an AWS Organizations Service Control Policy (SCP) that enforces the creation of AWS Config rules and SNS topics in every account.

    Why it's wrong here

    SCPs define permission boundaries; they cannot create resources. They can only allow or deny actions. They cannot proactively deploy resources.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Service Control Policies (SCPs) with resource enforcement, not realizing that SCPs only control permissions and cannot create or configure resources like AWS Config rules or SNS topics.

Detailed technical explanation

How to think about this question

CloudFormation StackSets use service-managed permissions to integrate with AWS Organizations, allowing the StackSet to be deployed across accounts and regions with a single operation. When automatic deployment is enabled, the StackSet automatically deploys to new accounts as they join the organization, and the 'RetainStacksOnAccountRemoval' setting can be configured to control behavior when accounts leave. This approach ensures that the baseline configuration is consistently applied without requiring per-account scripts or manual triggers.

KKey Concepts to Remember

  • CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.
  • StackSets integrate with AWS Organizations for target account specification.
  • Automatic deployment ensures new organization accounts receive the StackSet's resources.
  • StackSets maintain consistent resource configurations across an organization.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review cloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template., then practise related SOA-C02 questions on the same topic to reinforce the concept.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SOA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Deployment, Provisioning, and Automation — This question tests Deployment, Provisioning, and Automation — CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template..

What is the correct answer to this question?

The correct answer is: Create an AWS CloudFormation StackSet with the template containing the AWS Config rules and SNS topic. Configure the StackSet to deploy to the organization and enable automatic deployment to new accounts. — AWS CloudFormation StackSets can be deployed to an entire AWS Organizations organization or organizational units (OUs), and they support automatic deployment to new accounts added to the organization. By creating a StackSet with a template that defines the AWS Config rules and SNS topic, and enabling automatic deployment, the administrator ensures that every current and future member account receives the baseline configuration without manual intervention.

What should I do if I get this SOA-C02 question wrong?

Review cloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template., then practise related SOA-C02 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

CloudFormation StackSets deploy stacks to multiple accounts and Regions from a single template.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

6 more ways this is tested on SOA-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company has a multi-account AWS environment using AWS Organizations. The SysOps Administrator needs to deploy a standardized set of baseline resources (VPC, subnets, security groups, and an S3 bucket for logs) into each new member account as soon as the account is created. The administrator wants to automate this process using AWS CloudFormation and ensure that the baseline resources are deployed without manual intervention. The organization uses AWS CloudTrail and AWS Config for governance. What solution should the administrator implement?

hard
  • A.Use AWS CloudFormation StackSets with automatic deployment to accounts in the organization.
  • B.Create an AWS Config rule that triggers an AWS Lambda function to deploy the baseline resources when a new account is created.
  • C.Store the CloudFormation template in Amazon S3 and use S3 event notifications to trigger a Lambda function that deploys the stack into the new account.
  • D.Use AWS Service Catalog to create a portfolio with the baseline products and grant access to the organization.

Why A: Option C is correct. AWS CloudFormation StackSets allow deploying stacks across multiple accounts and regions from a management account. Combined with AWS Organizations, StackSets can automatically deploy to new accounts when they join the organization. Option A is wrong because AWS Config rules do not deploy resources. Option B is wrong because AWS CloudFormation templates deployed via S3 events require manual triggering. Option D is wrong because AWS Service Catalog allows provisioning but requires users to launch products manually.

Variation 2. A company has multiple AWS accounts managed under AWS Organizations. The SysOps administrator needs to deploy a common AWS CloudFormation template to all accounts in a specific organizational unit (OU), ensuring consistent security group configurations across the organization. Which AWS service should the administrator use to perform this deployment?

medium
  • A.AWS CloudFormation StackSets
  • B.AWS CodePipeline with cross-account actions
  • C.AWS Service Catalog portfolio
  • D.AWS Systems Manager Automation

Why A: AWS CloudFormation StackSets extends the functionality of CloudFormation by allowing you to deploy a common template across multiple accounts and regions from a single management account. In this scenario, the administrator can target the specific organizational unit (OU) within AWS Organizations, ensuring consistent security group configurations are applied to all member accounts without manual intervention.

Variation 3. A company uses AWS Organizations with multiple member accounts. The SysOps administrator needs to deploy a common AWS CloudFormation template that creates an IAM role across all member accounts in the organization. Which AWS service should be used to deploy this template across accounts?

medium
  • A.AWS CloudFormation StackSets
  • B.AWS CodePipeline with cross-account deployment actions
  • C.AWS CloudFormation cross-stack references
  • D.AWS Service Catalog

Why A: AWS CloudFormation StackSets is the correct service because it extends CloudFormation functionality to deploy templates across multiple accounts and regions from a single management account. StackSets uses a self-managed or service-managed permission model, and with AWS Organizations, it can automatically deploy to all member accounts in the organization or specified organizational units (OUs), making it ideal for deploying a common IAM role across all accounts.

Variation 4. A SysOps administrator is tasked with automating the deployment of an application across multiple AWS accounts. Which AWS service should be used to orchestrate the deployment across accounts?

easy
  • A.AWS CodeDeploy
  • B.AWS CloudFormation StackSets
  • C.AWS Service Catalog
  • D.AWS Systems Manager

Why B: Option B is correct because AWS CloudFormation StackSets allows you to deploy CloudFormation stacks across multiple accounts and regions in a single operation. Option A (CodeDeploy) is for deploying applications to EC2 or on-premises, not across accounts. Option C (Service Catalog) is for creating and managing a catalog of approved IT services, not for multi-account orchestration. Option D (Systems Manager) is for management and patching, not orchestrated cross-account deployments.

Variation 5. A SysOps administrator needs to deploy a CloudFormation stack across multiple AWS accounts in an organization using AWS Organizations. The administrator wants to use a single template and a single deployment operation. Which AWS service should be used to centrally manage the deployment?

easy
  • A.AWS Systems Manager
  • B.AWS OpsWorks Stacks
  • C.AWS CodePipeline
  • D.AWS CloudFormation StackSets

Why D: Option A is correct because AWS CloudFormation StackSets allow deploying stacks across multiple accounts and regions from a single template. Option B is incorrect because OpsWorks is for configuration management. Option C is incorrect because CodePipeline is for CI/CD pipelines. Option D is incorrect because Systems Manager is for operational management.

Variation 6. A SysOps administrator needs to deploy the same AWS CloudFormation template across multiple AWS accounts and Regions in a single operation. The administrator wants to manage the deployment from a single management account. Which AWS service should the administrator use?

medium
  • A.AWS CodeDeploy
  • B.AWS Elastic Beanstalk
  • C.AWS CloudFormation StackSets
  • D.AWS Service Catalog

Why C: AWS CloudFormation StackSets extends the functionality of CloudFormation by allowing you to deploy the same template across multiple accounts and Regions from a single management account. StackSets uses a self-managed or service-managed permission model to create, update, and delete stacks across target accounts in a single operation, making it the correct choice for this multi-account, multi-Region deployment requirement.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SOA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SOA-C02 exam.