Question #774
A company has six development teams that have each created four AWS accounts to develop and host applications. To track spending, the development teams log in to each account every month, extract cost data from the AWS Billing Dashboard, and submit the information to the finance department. The company must comply with strict regulations that restrict resource creation to AWS Regions in the United States, but resources have been deployed in other Regions. A solutions architect must implement a solution to consolidate expenditure tracking for all accounts and enforce regional restrictions. Which combination of steps will meet these requirements in the MOST operationally efficient way? (Choose three.)
Create a management account. Set up an Amazon S3 bucket for the finance team. Use AWS Cost Explorer to generate monthly reports and store them in the S3 bucket.
Create a management account. Establish an AWS Organizations organization with all features enabled. Invite all existing accounts to join the organization and ensure they accept the invitations.
Create an organizational unit (OU) for all development teams. Develop a service control policy (SCP) permitting resource creation solely in US Regions. Attach the SCP to the OU.
Create an OU for all development teams. Develop an SCP that explicitly denies resource creation in non-US Regions. Attach the SCP to the OU.
Create an IAM role in the management account with permissions to access the Billing Dashboard. Grant the finance team permission to assume the role. Use AWS Cost Explorer and the Billing Dashboard for cost analysis.
Create an IAM role in every AWS account with permissions to access the Billing Dashboard. Grant the finance team permission to assume each role.
Explanation
B: Creating an AWS Organizations organization with all features enables consolidated billing and SCPs, centralizing cost tracking and policy enforcement.
D: An SCP denying resource creation in non-US Regions ensures compliance with regional restrictions when attached to the OU containing all development accounts.
E: A single IAM role in the management account allows the finance team to access billing data across all accounts via Cost Explorer, eliminating manual logins.
Incorrect options:
A: Storing reports in S3 adds unnecessary steps; Cost Explorer provides direct access to consolidated data.
C: SCPs should explicitly deny non-US Regions instead of permitting only US Regions to avoid unintended restrictions on other actions.
F: Creating roles in every account is inefficient compared to a single role in the management account.
Key Points:
- Use AWS Organizations for consolidated billing and SCPs.
- SCPs with explicit deny conditions enforce regional restrictions effectively.
- Centralized access via the management account improves operational efficiency.
Answer
The correct answer is: BDE