AWS · SAP-C02

Account Vending And Provisioning Automation — AWS Solutions Architect Pro (SAP-C02)

3%of exam questions (5 of 200)

Control Tower Account Factory vs Custom Provisioning Pipeline

Building account provisioning with CloudFormation StackSets and Lambda is technically viable, but the scenario usually signals whether operational overhead matters. When an enterprise needs consistent baseline controls, centralized logging, and pre-configured guardrails on every new account, Control Tower's Account Factory removes the need to build and maintain that automation entirely. The custom-pipeline option appears as a distractor when a managed solution covers the requirements. Before selecting it, confirm the scenario includes a requirement that Account Factory cannot satisfy, such as a non-standard baseline that the managed landing zone does not support.

What This Pattern Tests

The exam tests whether you automate account provisioning with built-in security. Control Tower Account Factory creates new accounts with baseline guardrails (SCPs), logging (CloudTrail to log archive account), and security (SecurityHub, GuardDuty enabled). Service Catalog provides a self-service portal for approved CloudFormation templates — developers can provision pre-approved resources without full account access. The trap is creating accounts manually and retroactively applying security controls (gaps exist between creation and hardening) or giving developers full account access instead of Service Catalog portfolios.

Decision Axis

Automation scope (full account provisioning vs. resource provisioning) and guardrail timing (at creation vs. after creation).

Associated Traps

Operational Complexity Underestimation (5)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Near-Right Architecture · 45%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether AWS Control Tower Account Factory with AFT customization hooks satisfies every stated constraint (encryption guardrail, centralized logging, baseline VPC, scalability) and should be chosen over a custom-built vending pipeline — selecting the managed service eliminates ongoing orchestration maintenance while preserving full guardrail and baseline fidelity.

AWS Control TowerAWS OrganizationsAWS Service Catalog

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Hard: 5

Build recognition speed →

See all SAP-C02 patterns →