Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 336 discussion

Stackset cant deploy to management account.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.html#:~:text=StackSets%20doesn%27t%20deploy%20stack%20instances%20to%20the%20organization%27s%20management%20account%2C%20even%20if%20the%20management%20account%20is%20in%20your%20organization%20or%20in%20an%20OU%20in%20your%20organization Stackset cant deploy to management acct

StackSets automatically generates the IAM roles required to deploy stack instances. You can create the IAM roles required by the AWS CloudFormation StackSets feature in the management account of AWS Organizations.

Should be B I think. A stackset with service-managed permissions does not deploy to the management account. "StackSets doesn't deploy stack instances to the organization's management account, even if the management account is in your organization or in an OU in your organization." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org

A. Create a CloudFormation StackSet that has service-managed permissions. Set the root OU as a deployment target.

Using service-managed permissions simplifies the deployment process because AWS manages the permissions required for deploying the StackSet. This reduces the complexity and effort involved in setting up and managing permissions manually. By setting the root Organizational Unit (OU) as the deployment target, the StackSet will automatically deploy the IAM role to all AWS accounts under the root OU, including both existing and future accounts. This ensures comprehensive and automatic coverage. Service-managed StackSets provide a streamlined and scalable solution, requiring minimal manual intervention and oversight, thus reducing operational overhead.