AWS Certified SysOps Administrator – Associate (legacy) — Question 176

A company currently has a single AWS account used by all project teams. The company is migrating to a multi-account strategy, where each project team will have its own account. The AWS IAM configuration must have the same roles and policies for each of the accounts.
What is the MOST efficient way to implement and manage these new requirements?

Answer options

• A. Create a portfolio in the AWS Service Catalog for the IAM roles and policies. Have a specific product in the portfolio for each environment, project, and team that can be launched independently by each user.
• B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts.
• C. Create an AWS Lambda script that leverages cross-account access to each AWS account, and create all the roles and policies needed using the IAM API and JSON documents stored in Amazon S3.
• D. Create a single AWS CloudFormation template. Use CloudFormation StackSets to launch the CloudFormation template into each target account from the Administrator account.

Correct answer: B

Explanation

The correct answer, B, effectively uses AWS Organizations to manage permissions and roles across multiple accounts, ensuring consistency and control. Options A and C introduce complexity and don't guarantee the same roles and policies across accounts, while option D, although viable, is less efficient than using service control policies to manage access at the organizational level.