AWS Certified Solutions Architect – Professional — Question 915

A large global financial services company has multiple business units. The company wants to allow Developers to try new services, but there are multiple compliance requirements for different workloads. The Security team is concerned about the access strategy for on-premises and AWS implementations. They would like to enforce governance for AWS services used by business teams for regulatory workloads, including Payment Card Industry (PCI) requirements.
Which solution will address the Security team's concerns and allow the Developers to try new services?

Answer options

• A. Implement a strong identity and access management model that includes users, groups, and roles in various AWS accounts. Ensure that centralized AWS CloudTrail logging is enabled to detect anomalies. Build automation with AWS Lambda to tear down unapproved AWS resources for governance.
• B. Build a multi-account strategy based on business units, environments, and specific regulatory requirements. Implement SAML-based federation across all AWS accounts with an on-premises identity store. Use AWS Organizations and build organizational units (OUs) structure based on regulations and service governance. Implement service control policies across OUs.
• C. Implement a multi-account strategy based on business units, environments, and specific regulatory requirements. Ensure that only PCI-compliant services are approved for use in the accounts. Build IAM policies to give access to only PCI-compliant services for governance.
• D. Build one AWS account for the company for strong security controls. Ensure that all the service limits are raised to meet company scalability requirements. Implement SAML federation with an on-premises identity store, and ensure that only approved services are used in the account.

Correct answer: B

Explanation

Option B is the correct choice because a multi-account strategy utilizing AWS Organizations and Service Control Policies (SCPs) allows the company to enforce strict compliance guardrails on regulatory OUs while giving developers freedom to innovate in sandbox OUs. SAML-based federation with the on-premises identity store addresses the security team's access strategy concerns for hybrid environments. Options A, C, and D are incorrect because a single-account strategy does not provide proper isolation, IAM policies alone are difficult to manage at scale compared to SCPs, and reactive Lambda-based resource deletion is less secure than proactive prevention.