AWS Certified Solutions Architect – Associate (SAA-C03) — Question 841

A company wants to isolate its workloads by creating an AWS account for each workload. The company needs a solution that centrally manages networking components for the workloads. The solution also must create accounts with automatic security controls (guardrails).

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
• B. Use AWS Organizations to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
• C. Use AWS Control Tower to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.
• D. Use AWS Organizations to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.

Correct answer: A

Explanation

AWS Control Tower is the ideal service for automatically provisioning new accounts with built-in security guardrails, which rules out using AWS Organizations alone. Additionally, sharing subnets from a central networking VPC via AWS Resource Access Manager (AWS RAM) requires significantly less operational overhead than deploying and connecting individual VPCs for each account using Transit Gateway.