AWS Certified Solutions Architect – Professional — Question 898

A large company is migrating its entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.
The Finance department requires a centralized method for payment but must maintain visibility into each group's spending to allocate costs.
The Security team requires a centralized mechanism to control IAM usage in all the company's accounts.
What combination of the following options meet the company's needs with the LEAST effort? (Choose two.)

Answer options

• A. Use a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
• B. Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
• C. Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
• D. Enable all features of AWS Organizations and establish appropriate service control policies that filter IAM permissions for sub-accounts.
• E. Consolidate all of the company's AWS accounts into a single AWS account. Use tags for billing purposes and IAM's Access Advisor feature to enforce the least privilege model.

Correct answer: B, D

Explanation

AWS Organizations (Option B) allows the enterprise to set up consolidated billing under a single payer account while maintaining separate accounts for cost tracking and provisioning new accounts easily. Enabling all features in AWS Organizations allows the use of Service Control Policies (Option D), which provides the Security team with a centralized way to restrict IAM permissions across all member accounts. Other options, such as using CloudFormation for security enforcement (Option A) or merging all environments into a single account (Option E), introduce high operational overhead and violate AWS best practices for account isolation.