AWS Certified Solutions Architect – Professional — Question 336

A company has multiple lines of business (LOBs) that roll up to the parent company. The company has asked its solutions architect to develop a solution with the following requirements:
✑ Produce a single AWS invoice for all of the AWS accounts used by its LOBs.
✑ The costs for each LOB account should be broken out on the invoice.
✑ Provide the ability to restrict services and features in the LOB accounts, as defined by the company's governance policy.
✑ Each LOB account should be delegated full administrator permissions, regardless of the governance policy.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Use AWS Organizations to create an organization in the parent account for each LOB. Then, invite each LOB account to the appropriate organization.
• B. Use AWS Organizations to create a single organization in the parent account. Then, invite each LOB's AWS account to pin the organization.
• C. Implement service quotas to define the services and features that are permitted and apply the quotas to each LOB as appropriate.
• D. Create an SCP that allows only approved services and features, then apply the policy to the LOB accounts. Enable consolidated billing in the parent account's billing console and link the LOB accounts.

Correct answer: B, D

Explanation

Creating a single organization with AWS Organizations (Option B) allows for consolidated billing, which satisfies the requirement for a single invoice with itemized LOB costs. Service Control Policies (SCPs) (Option D) act as maximum permission guardrails, allowing the parent company to restrict services and features while still permitting LOB users to have full administrator permissions within their accounts. Using service quotas (Option C) only limits resource consumption rather than restricting service access, and creating multiple organizations (Option A) would prevent unified consolidated billing.