AWS Certified Solutions Architect – Professional — Question 1004

A company is building dozens of new workloads by using a variety of AWS services. Each workload will belong to a separate business unit. The company needs to minimize costs as each business unit experiments with ways to innovate. The company also needs to maximize scalability for its security team so that the security team can identify and respond to threats as quickly as possible for all the workloads.
Which combination of actions should a solutions architect take to meet these requirements? (Choose three.)

Answer options

• A. Set up a multi-account environment by using AWS Organizations. Organize accounts into the following OUs: Security, Infrastructure, Workloads, and Exception.
• B. Set up a multi-account environment by using AWS Organizations. Organize accounts into the following SCPs: Security, Infrastructure, Workloads, and Exception.
• C. Configure AWS Trusted Advisor to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP at the root of the organization with a condition that matches the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.
• D. Use AWS Budgets alerts to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP to the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.
• E. Turn on Amazon GuardDuty in each account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the topic so that the security team can receive alerts.
• F. Create a delegated administrator account for Amazon GuardDuty in the organization in AWS Organizations. Create an Amazon Simple Notification Service (Amazon SNS) topic in this account. Subscribe the security team to the topic so that the security team can receive alerts.

Correct answer: A, D, F

Explanation

Using AWS Organizations with custom OUs (A) allows proper structural grouping of accounts, whereas SCPs are policy documents and not organizational structures. AWS Budgets alerts (D) can directly trigger Lambda functions to automate account isolation when budget limits are breached, unlike Trusted Advisor which is not designed for budget action triggers. Finally, setting up a delegated administrator for Amazon GuardDuty (F) provides a centralized, scalable way to manage threat detection across all AWS Organization accounts, which is far more efficient than configuring individual accounts manually.