AWS Certified Solutions Architect – Professional — Question 852

A company is running multiple applications on Amazon EC2. Each application is deployed and managed by multiple business units. All applications are deployed on a single AWS account but on different virtual private clouds (VPCs). The company uses a separate VPC in the same account for test and development purposes.
Production applications suffered multiple outages when users accidentally terminated and modified resources that belonged to another business unit. A Solutions
Architect has been asked to improve the availability of the company applications while allowing the Developers access to the resources they need.
Which option meets the requirements with the LEAST disruption?

Answer options

• A. Create an AWS account for each business unit. Move each business unit's instances to its own account and set up a federation to allow users to access their business unit's account.
• B. Set up a federation to allow users to use their corporate credentials, and lock the users down to their own VPC. Use a network ACL to block each VPC from accessing other VPCs.
• C. Implement a tagging policy based on business units. Create an IAM policy so that each user can terminate instances belonging to their own business units only.
• D. Set up role-based access for each user and provide limited permissions based on individual roles and the services for which each user is responsible.

Correct answer: C

Explanation

Implementing a tagging policy combined with IAM policies (Attribute-Based Access Control) is the least disruptive method to restrict resource modification to specific business units within a single AWS account. Creating separate AWS accounts for each unit would require significant migration effort and cause high disruption. Using network ACLs or general role-based access does not natively prevent users from executing API calls to terminate instances belonging to other business units.