AWS Certified Solutions Architect - Professional / Question #863 of 529

Question #863

A company is migrating its infrastructure to AWS and requires a multi-account setup to meet diverse regulatory standards for different projects. The company needs a consistent security and management baseline while allowing flexibility for account-specific compliance requirements. Additionally, the solution must integrate with an existing on-premises Active Directory Federation Services (AD FS) server.

Which solution meets these requirements with the LEAST operational overhead?

Create an AWS Organizations organization. Design a single SCP for least privilege access across all accounts. Establish a single OU for all accounts. Configure an IAM identity provider for AD FS federation. Set up a central logging account with a process for log aggregation. Enable AWS Config in the central account with conformance packs for all accounts.

Create an AWS Organizations organization. Enable AWS Control Tower and review its guardrails for SCPs. Validate AWS Config for necessary adjustments. Create OUs as needed. Integrate AWS IAM Identity Center (AWS Single Sign-On) with the on-premises AD FS server.

Create an AWS Organizations organization. Implement custom SCPs for least privilege access. Design an OU structure to group accounts. Integrate AWS IAM Identity Center with AD FS. Configure a central logging account for log aggregation. Enable AWS Config in the central account with aggregators and conformance packs.

Create an AWS Organizations organization. Enable AWS Control Tower and review guardrails. Configure an IAM identity provider for AD FS federation. Set up AWS Config conformance packs in a central account.

Explanation

Answer B is correct because AWS Control Tower provides a pre-configured, managed solution for multi-account setups with built-in guardrails (SCPs) that enforce security and compliance baselines, reducing the need for manual SCP creation (unlike options A/C). Creating OUs as needed allows grouping accounts by compliance requirements. AWS IAM Identity Center (Single Sign-On) integrates seamlessly with on-premises AD FS, simplifying federation. Control Tower's automation minimizes operational overhead compared to manually configuring SCPs, logging, and AWS Config aggregators (as in options A/C/D). Option D lacks OU structure flexibility and does not explicitly use IAM Identity Center for AD FS integration. Key points: Control Tower handles baseline guardrails, IAM Identity Center enables AD FS integration, and OUs enable compliance grouping with minimal effort.

Answer

The correct answer is: B