AWS Certified Solutions Architect – Professional (SAP-C02) — Question 404

A company has multiple lines of business (LOBs) that roll up to the parent company. The company has asked its solutions architect to develop a solution with the following requirements:
• Produce a single AWS invoice for all of the AWS accounts used by its LOBs.
• The costs for each LOB account should be broken out on the invoice.
• Provide the ability to restrict services and features in the LOB accounts, as defined by the company's governance policy.
• Each LOB account should be delegated full administrator permissions, regardless of the governance policy.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Use AWS Organizations to create an organization in the parent account for each LOB. Then invite each LOB account to the appropriate organization.
• B. Use AWS Organizations to create a single organization in the parent account. Then, invite each LOB's AWS account to join the organization.
• C. Implement service quotas to define the services and features that are permitted and apply the quotas to each LOB. as appropriate.
• D. Create an SCP that allows only approved services and features, then apply the policy to the LOB accounts.
• E. Enable consolidated billing in the parent account's billing console and link the LOB accounts.

Correct answer: B, D

Explanation

To consolidate invoices and break down costs per business unit, the solutions architect must establish a single organization using AWS Organizations in the parent account and invite the member accounts. To enforce governance and restrict service access while allowing local administrative permissions, Service Control Policies (SCPs) must be applied to the member accounts. SCPs act as permission guardrails, restricting what actions can be taken in an account even if a user has full AdministratorAccess permissions.