AWS Certified Solutions Architect – Professional (SAP-C02) — Question 456

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company hosts some applications in a VPC in the company's shared services account.

The company has attached a transit gateway to the VPC in the shared services account.

The company is developing a new capability and has created a development environment that requires access to the applications that are in the shared services account. The company intends to delete and recreate resources frequently in the development account. The company also wants to give a development team the ability to recreate the team's connection to the shared services account as required.

Which solution will meet these requirements?

Answer options

• A. Create a transit gateway in the development account. Create a transit gateway peering request to the shared services account. Configure the shared services transit gateway to automatically accept peering connections.
• B. Turn on automatic acceptance for the transit gateway in the shared services account. Use AWS Resource Access Manager (AWS RAM) to share the transit gateway resource in the shared services account with the development account. Accept the resource in the development account. Create a transit gateway attachment in the development account.
• C. Turn on automatic acceptance for the transit gateway in the shared services account. Create a VPC endpoint. Use the endpoint policy to grant permissions on the VPC endpoint for the development account. Configure the endpoint service to automatically accept connection requests. Provide the endpoint details to the development team.
• D. Create an Amazon EventBridge rule to invoke an AWS Lambda function that accepts the transit gateway attachment when the development account makes an attachment request. Use AWS Network Manager to share the transit gateway in the shared services account with the development account. Accept the transit gateway in the development account.

Correct answer: B

Explanation

Sharing the AWS Transit Gateway using AWS Resource Access Manager (AWS RAM) enables the development account to directly attach its VPCs to the central gateway. Enabling automatic acceptance on the shared services transit gateway allows the development team to autonomously delete and recreate their VPC attachments without requiring manual approval or custom automation. Other approaches, such as transit gateway peering or using AWS Network Manager for sharing, introduce unnecessary complexity and do not align with AWS best practices for cross-account VPC connectivity.