The company’s requirements span preventive governance , account baseline configuration , and continuous compliance monitoring , all with minimal operational overhead. AWS-native, organization-level services are the most efficient way to meet these goals.
To ensure that new accounts do not retain default VPCs and that development is restricted to specific Regions , AWS Control Tower is the correct foundation. However, Control Tower alone does not remove default VPCs. By installing Customizations for AWS Control Tower (CfCT) , the company can automatically deploy OU-scoped CloudFormation templates during account provisioning. A simple CloudFormation template can delete default VPCs in all Regions, while Control Tower-managed Region deny guardrails (SCPs) restrict access to only approved Regions. This approach is declarative, repeatable, and tightly integrated with account creation workflows, resulting in low operational overhead.
For CIS AWS Foundations Benchmark compliance monitoring , AWS Security Hub is the purpose-built service. Enabling Security Hub at the organization level and selecting the CIS benchmark automatically evaluates all member accounts against CIS controls and continuously reports findings. This provides centralized visibility and compliance reporting without custom rule development.
Option C introduces custom Lambda automation and EventBridge logic, increasing maintenance burden. Option E is incorrect because Control Tower does not provide full CIS benchmark monitoring; it only offers related detective guardrails.
Therefore, Option B (Control Tower + CfCT) and Option D (Security Hub with CIS benchmark) together provide the most efficient, scalable, and AWS-recommended solution.
Submit