AWS Certified Security – Specialty — Question 349

A company has two applications: Application A and Application B. The applications run in different VPCs in the same account. The account is not part of an organization in AWS Organizations. The company's development team manages both applications by using AWS CloudFormation.

The development team splits into two teams, Now, Team A manages Application A. Team B manages Application B. AWS CloudTrail logs in the account are sent to an Amazon S3 bucket.

The company needs to prevent faults in one application from affecting the other application, ensure that teams can access only their own workloads, and send CloudTrail logs to a central S3 bucket. In addition, the company needs granular billing for each application.

What is the MOST operationally efficient solution that meets these requirements?

Answer options

• A. Deploy an attribute-based access control (ABAC) tagging strategy to separate the teams. Use cost allocation tags for granular billing.
• B. Deploy a role-based access control (RBAC) tagging strategy to separate the teams. Use cost allocation tags for granular billing
• C. Deploy AWS Control Tower. Create two accounts: one account for Application A and one account for Application B. Migrate each application to its new account.
• D. Migrate Application B to a new account. Use CloudFormation to send CloudTrail logs from the new account to the existing S3 bucket in the original account.

Correct answer: A

Explanation

Implementing an attribute-based access control (ABAC) tagging strategy allows the company to efficiently secure resources and restrict team access based on tags within the same account, while cost allocation tags provide the required granular billing. This avoids the high operational overhead of setting up AWS Control Tower or migrating workloads to separate accounts as proposed in options C and D. Option B is incorrect because RBAC does not scale as dynamically as ABAC for tag-based resource isolation.