AWS Certified Solutions Architect – Professional — Question 900

A company wants to ensure that the workloads for each of its business units have complete autonomy and a minimal blast radius in AWS. The Security team must be able to control access to the resources and services in the account to ensure that particular services are not used by the business units.
How can a Solutions Architect achieve the isolation requirements?

Answer options

• A. Create individual accounts for each business unit and add the account to an OU in AWS Organizations. Modify the OU to ensure that the particular services are blocked. Federate each account with an IdP, and create separate roles for the business units and the Security team.
• B. Create individual accounts for each business unit. Federate each account with an IdP and create separate roles and policies for business units and the Security team.
• C. Create one shared account for the entire company. Create separate VPCs for each business unit. Create individual IAM policies and resource tags for each business unit. Federate each account with an IdP, and create separate roles for the business units and the Security team.
• D. Create one shared account for the entire company. Create individual IAM policies and resource tags for each business unit. Federate the account with an IdP, and create separate roles for the business units and the Security team.

Correct answer: A

Explanation

Creating individual AWS accounts for each business unit provides the highest level of resource isolation and minimizes the blast radius. By organizing these accounts into Organizational Units (OUs) within AWS Organizations, the Security team can easily use Service Control Policies (SCPs) to restrict access to unauthorized AWS services. Single-account strategies (Options C and D) fail to provide adequate blast radius isolation, while Option B lacks a centralized governance mechanism to easily restrict services across accounts.