Logo
AWS Certified Solutions Architect - Associate / Question #1897 of 1019

Question #1897

A company uses AWS Organizations to manage multiple accounts for its project teams. A critical alert was mistakenly sent to the root user email address of a project account rather than the designated team lead. The company needs to ensure future notifications are routed to the appropriate teams based on alert categories: billing, operations, or security.

Which solution MOST securely meets these requirements?

A

Configure all AWS accounts to use a shared company-managed email address accessible by all team leads. Set alternate contacts for each account using distribution lists for the billing, security, and operations teams across all projects.
B

Assign a unique email distribution list per project team to each AWS account, with administrative access for alert responses. Configure alternate contacts for each account using distribution lists for the billing, security, and operations teams.
C

Set each AWS account root user email to a company-managed email address of the project lead. Configure alternate contacts for each account with distribution lists for the billing, security, and operations teams.
D

Configure root user email addresses as aliases pointing to a centralized mailbox. Set alternate contacts for each account using dedicated company-managed distribution lists for the billing, security, and operations teams.

Explanation

Option D is correct because:
1. Root User Email Aliases: Configuring root user emails as aliases to a centralized mailbox avoids exposing actual root user credentials and simplifies management. Root user emails should remain static and secure.
2. Alternate Contacts: AWS allows setting alternate contacts for billing, operations, and security. Using dedicated distribution lists for these categories ensures alerts are routed to the correct teams.

Other options are incorrect because:
- A: A shared email address compromises security and does not follow AWS best practices for root user isolation.
- B: Assigning administrative access for alerts is unnecessary and introduces security risks.
- C: Changing root user emails to project leads' addresses is insecure and impractical for scalability.

Key Points:
- Use alternate contacts for billing, operations, and security alerts.
- Avoid sharing root user credentials; use aliases for centralized management.
- Distribution lists ensure alerts reach the correct teams without exposing sensitive account details.

Answer

The correct answer is: D