Question #1912
A company wants to isolate its workloads by creating an AWS account for each workload. The company needs a solution that centrally manages a shared VPC for all workloads and automatically enforces security guardrails. Which solution will meet these requirements with the LEAST operational overhead?
Use AWS Control Tower to deploy accounts. Create a networking account with a shared VPC. Use AWS Resource Access Manager (AWS RAM) to share the VPC with the workload accounts.
Use AWS Organizations to deploy accounts. Create a networking account with a shared VPC. Use AWS Resource Access Manager (AWS RAM) to share the VPC with the workload accounts.
Use AWS Control Tower to deploy accounts. Deploy a VPC in each workload account and connect them to a central inspection VPC using transit gateway attachments.
Use AWS Organizations to deploy accounts. Deploy a VPC in each workload account and connect them to a central inspection VPC using transit gateway attachments.
Explanation
Answer A is correct because AWS Control Tower provides automated account provisioning and pre-configured security guardrails (e.g., SCPs, detective controls), reducing manual setup. AWS RAM enables VPC sharing across accounts via Resource Shares, centralizing network management. Option B lacks automated guardrail enforcement, requiring manual policy configuration. Options C and D involve deploying multiple VPCs and Transit Gateway, which complicates architecture and increases overhead, contradicting the shared VPC requirement. Key points: Control Tower automates governance, RAM enables VPC sharing, and shared VPCs reduce redundant network setups.
Answer
The correct answer is: A