Logo
AWS Certified Solutions Architect - Professional / Question #908 of 529

Question #908

A large enterprise is migrating its IT infrastructure to AWS. Each department operates standalone AWS accounts for staging and quality assurance. New production accounts must be provisioned shortly.

The finance team needs a unified payment method while retaining granular visibility into each department's expenditures for cost allocation.

The security team demands centralized governance over IAM policies across all enterprise accounts.

Which combination of solutions addresses these requirements MOST efficiently? (Select two.)

A

Implement standardized AWS CloudFormation templates with predefined IAM roles across all accounts. Mandate deployment of these templates in existing and new accounts to enforce security policies.
B

Establish an AWS Organizations hierarchy from a designated payer account. Integrate existing accounts into the organization and provision new accounts through Organizations.
C

Require individual departments to manage their own AWS accounts. Implement resource tagging and AWS Budgets for cost attribution.
D

Activate full AWS Organizations capabilities and configure service control policies to restrict IAM permissions across member accounts.
E

Merge all AWS accounts into one master account. Use IAM roles/resource tagging for access control and consolidated billing.

Explanation

Answer B (AWS Organizations hierarchy) consolidates billing under a payer account, providing a unified payment method and granular cost tracking via linked accounts. Answer D (SCPs) enforces centralized IAM policies across all accounts, meeting security requirements.

Why others are incorrect:
- A: CloudFormation templates require manual enforcement and lack the automation of SCPs.
- C: Self-managed accounts and tagging do not ensure unified billing or centralized governance.
- E: Merging accounts violates AWS best practices for isolation and offers no advantage over Organizations.

Key Points:
1. AWS Organizations enables consolidated billing and account management.
2. SCPs provide centralized policy enforcement across all member accounts.
3. Separate accounts with Organizations balance isolation and centralized control.

Answer

The correct answer is: BD