AWS Certified Solutions Architect – Professional — Question 973

A company has an organization in AWS Organizations. The company has enabled trusted access between Organizations and AWS Resource Access Manager
(AWS RAM). The organization includes three AWS accounts, one each for shared services, development, and production. The shared services account has a
VPC.
A solutions architect needs to meet the following requirements:
* Configure access between the shared services VPC and the development and production accounts.
* Ensure that workloads in each account are deployed to at least three Availability Zones.
* Ensure that there is no direct communication between the development and production workloads.
Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. In the shared services VPC, create three subnets for three Availability Zones. Create one subnet in each Availability Zone.
• B. In the shared services VPC, create six subnets for three Availability Zones. Create two subnets in each Availability Zone.
• C. Configure network ACLs to prevent connectivity between the subnets in the development account and the production account.
• D. Configure VPC default security group outbound rules to prevent connectivity between the subnets in the development account and the production account.
• E. Use AWS RAM to share three subnets in different Availability Zones with the development account. Additionally, use AWS RAM to share the same three subnets with the production account.
• F. Use AWS RAM to share three subnets in different Availability Zones with the development account. Additionally, use AWS RAM to share three other subnets in different Availability Zones with the production account.

Correct answer: B, C, F

Explanation

To deploy workloads across three Availability Zones for both development and production without allowing direct communication between them, the shared VPC must have six subnets in total (two in each of the three Availability Zones), making Option B correct. These subnets must be separated by environment, with three distinct subnets shared to development and three other distinct subnets shared to production via AWS RAM, making Option F correct. Finally, because security groups cannot be used to block traffic between different AWS accounts sharing the same VPC, stateless network ACLs (NACLs) must be configured to prevent communication between the development and production subnets, making Option C correct.