AWS Certified Solutions Architect – Professional — Question 639

A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company wants to use
AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.
Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
• B. From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP.
• C. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.
• D. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.
• E. From the management account, share the transit gateway with member accounts by using AWS Service Catalog.

Correct answer: A, C

Explanation

To allow member accounts to attach VPCs to a central Transit Gateway, the gateway must be shared across the organization, which is done securely using AWS Resource Access Manager (RAM). Automation of VPC creation and the corresponding transit gateway attachment in new member accounts is best achieved by deploying an AWS CloudFormation stack set from the management account. SCPs are used for permission boundaries, not resource sharing, and Service Catalog does not directly facilitate Transit Gateway resource sharing.