Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 379 discussion

B and D correct Option B: Using AWS Organizations to create a new organization from a chosen payer account and defining an organizational unit hierarchy invites existing accounts to join the organization. This allows for centralized management of IAM usage across all accounts, meeting the security team's requirement. Additionally, this approach enables cost allocation and visibility into spending for each group, which meets the finance department's requirement. Option D: Enabling all features of AWS Organizations and establishing service control policies that filter IAM permissions for sub-accounts provides a comprehensive solution for centralized IAM control. This approach allows for fine-grained control over access and security across all accounts.

Option BD not C: The management account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html

Option BD - You need to use Service Control Policies (SCP) for the Security Team requirements. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

C is wrong: since it didn't mention Organization at all. We can get each group's cost by utilizing OU.

options B and C offers a balance between centralized management, cost visibility, and minimal disruption during the migration process. The company can leverage AWS Organizations to establish a central structure and implement security controls later, while maintaining separate accounts for business units with tagging and Cost Explorer to ensure cost allocation. i maybe wrong, but these are my picks

BC We need AWS Organization and we need tagging for cost allocation. Those are the only answers viable.

“Centralized method for payment” maps to AWS organization. So B is one of the answer. “maintain visibility into each group's spending to allocate costs” means all resources need to be tagged for Cost Explorer to provide visibility into each group’s spending. So, C is one of the answer I don’t think D is a good answer, coz SCP is not a good way for IAM permission control. The usual way is to create different roles and allow different users/groups to assume different roles. A is wrong because there isn’t so called common IAM permissions; and least privilege model is a best practice rather than a detailed template, so there is nothing to enforce. E Consolidating accounts into one single account is obviously not a good solution.

Why not B,C? It looks good to me.

Option B and D

Also vote for B and D

B & D - Create Organizations in AWS Organizations from a chosen payer account and invite all member accounts and create new accounts as a part of the Organizations. Enable All features and create appropriate SCPs for services access control.

Options B and D offers a centralized, efficient, and scalable solution that meets both the finance department's and the security team's requirements.

BD for sure

Answer: B D