Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 893 discussion

Statement: - The solution also must create accounts with automatic security controls (guardrails). https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html AWS Control Tower provides a pre-packaged set of guardrails (policies) and blueprints (best-practice configurations) to ensure that the environment complies with security and compliance standards. It’s designed to simplify the process of creating and managing a multi-account AWS environment while maintaining security and compliance.

It's a hard one. I'd go for B Several accounts in an org, with central mgmt > AWS Organization Sharing resources among accounts > AWS RAM AWS Organizations and RAM typically work well together... Happy to be challenged, of course.

AWS Control Tower automates the setup of accounts and guardrails, reducing the need for manual configuration. Centralizing networking in a single account and sharing resources via AWS RAM minimizes the operational effort required to manage networking across multiple accounts.

A - It works but on first sight I eliminated this option because if you have a large number of workloads, the manual work would be too much. However, other options have bigger issues so this one is pretty great actually. B - AWS Organizations alone does not provide the automatic guardrails, so it requires manual implementation of security controls and policies. C - Also a valid choice, especially if more isolation and advanced traffic inspection are needed, but it introduces more complexity than option A and might require more operational oversight, which would not be ideal for "least operational overhead." D - Like B.

guard rails => AWS control tower

A Guardrails >> AWS Control Tower

AWS Control Tower provides built-in guardrails and automates the creation of accounts with security controls.

A. Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.

It leverages AWS Control Tower for automated account deployment and management, along with AWS RAM for centralized networking management, thus minimizing operational overhead while meeting the company's requirements for workload isolation and automatic security controls.

answer is A

Anser is A, Control Tower has guardrails AWS Audit Manager provides an AWS Control Tower Guardrails framework to assist you with your audit preparation.

Taking into consideration that AWS Control Tower is Orchestrator for AWS Organization which applies guardrails, I think A is a good choose. https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

Please explain why the answer is option A