AWS Certified Solutions Architect – Professional — Question 826

A Solutions Architect is designing a multi-account structure that has 10 existing accounts. The design must meet the following requirements:
✑ Consolidate all accounts into one organization.
✑ Allow full access to the Amazon EC2 service from the master account and the secondary accounts.
✑ Minimize the effort required to add additional secondary accounts.
Which combination of steps should be included in the solution? (Choose two.)

Answer options

• A. Create an organization from the master account. Send invitations to the secondary accounts from the master account. Accept the invitations and create an OU.
• B. Create an organization from the master account. Send a join request to the master account from each secondary account. Accept the requests and create an OU.
• C. Create a VPC peering connection between the master account and the secondary accounts. Accept the request for the VPC peering connection.
• D. Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU.
• E. Create a full EC2 access policy and map the policy to a role in each account. Trust every other account to assume the role.

Correct answer: A, D

Explanation

Creating an organization from the management account and inviting the existing accounts is the correct way to consolidate them under AWS Organizations. Applying a Service Control Policy (SCP) at the Organizational Unit (OU) level ensures that all current and future member accounts placed in that OU automatically inherit the EC2 permissions, minimizing administrative overhead. Managing individual IAM roles or VPC peering connections across all accounts does not scale well and increases operational effort.