AWS Certified Solutions Architect – Professional (SAP-C02) — Question 359
A large company is migrating its entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.
The finance department requires a centralized method for payment but must maintain visibility into each group's spending to allocate costs.
The security team requires a centralized mechanism to control IAM usage in all the company’s accounts.
What combination of the following options meets the company’s needs with the LEAST effort? (Choose two.)
Answer options
- A. Use a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
- B. Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
- C. Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
- D. Enable all features of AWS Organizations and establish appropriate service control policies that filter IAM permissions for sub-accounts.
- E. Consolidate all of the company's AWS accounts into a single AWS account. Use tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model.
Correct answer: B, D
Explanation
AWS Organizations allows a company to consolidate multiple AWS accounts under a single payer account, enabling consolidated billing and automated creation of new accounts (Option B). By enabling all features in AWS Organizations, the security team can centrally enforce maximum permission boundaries across all accounts using Service Control Policies (Option D). Other options, such as using CloudFormation for local IAM management or merging everything into a single account, do not scale well and require significant operational effort.