The correct choice is Use AWS CloudFormation StackSets with service-managed permissions from the management account to deploy a CloudTrail trail and required IAM roles to target OUs, enabling automatic deployments to new accounts and automatic stack instance removal when accounts are closed or leave.

Use AWS CloudFormation StackSets with service-managed permissions from the management account to deploy a CloudTrail trail and required IAM roles to target OUs, enabling automatic deployments to new accounts and automatic stack instance removal when accounts are closed or leave integrates directly with AWS Organizations so stacks are automatically deployed to accounts that join targeted organizational units and stack instances are automatically removed when accounts leave. You can model the CloudTrail trail and the required IAM roles as CloudFormation resources so deployments are consistent and repeatable. Using StackSets with service-managed permissions reduces custom cross account orchestration because AWS manages the service role and permissions needed to deploy into member accounts.

AWS Control Tower provides a prescriptive landing zone and guardrails but it brings its own account factory and baselines and it can be heavier to adopt for an environment that already uses Organizations. It is not the simplest choice for applying a custom set of IAM roles and automated cleanup across existing OUs.

Create an EventBridge rule in the management account that detects new account creation and invokes a Lambda function to configure CloudTrail and create the IAM roles can accomplish automation but it relies on custom code and complex cross account permissions. That approach increases operational overhead and does not provide the native automatic removal of deployed resources when an account leaves the organization.

Enable an organization trail for all member accounts and create a single IAM role to be shared across the organization centralizes CloudTrail logging but it does not provision IAM roles into each account automatically. Sharing a single role across accounts is not a replacement for deploying per-account IAM roles and it does not solve automated cleanup when accounts are removed.

Full AWS Practitioner Certification Question