Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight?

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.
The divisions want to maintain administrative control of the discrete AWS resources they consume and keep
those resources separate from the resources of other divisions. Which of the following options, when used
together will support the autonomy/control of divisions while enabling corporate IT to maintain governance
and cost oversight?
Choose 2 answers

A.
Use AWS Consolidated Billing and disable AWS root account access for the child accounts.

B.
Enable IAM cross-account access for all corporate IT administrators in each child account.

C.
Create separate VPCs for each division within the corporate IT AWS account.

D.
Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.

E.
Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.

Show Hint

← Previous question

Next question →

Leave a Reply 28

Ega

D and E

Vlad

KwagongMakisig

Again very frustrating as it doesnt really say that this involves multiple AWS accounts 🙁
What is there is only one account? then we would have interpreted the question differently

Assuming that each division uses its own AWS account, then correct answer is likely B and D.

It asks for Administrative Control and Cost oversight.
Enabling IAM cross-account access will provide administrative control (centrally controlling policies from parent account)
Consolidated billing provides Cost oversight of all the accounts owned by the company

Nikunj

B and D

seenagape

Madhu sudhan

B and D
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

https://acloud.guru/course/aws-certified-solutions-architect-associate/discuss/-KLhI9vvtmgqw_uY5iOt/corporate-it-governance-and-cost-oversight

Hello

Why not C? Does it not meet the ” divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions.” requirement?

noorani khan

creating separate VPCs donot create a separate view of all the resources. You will still be seeing the resources of the other groups

swagata mondal

TechMinded

B and D
B: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
D: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

kamleshj

B: (Corporate IT governance) Allowing the corporate IT admin gain administrative access to individual division’s AWS account by leveraging IAM cross-account trust, IAM role & IAM policy. http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

D: (cost oversight) http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

ned kelly

C – they need to have BU centric administration and
D – consolidated billing

I think that it is B & D

Mayur

B & D is correct.

vladam

Answer C assumes using same account for all departments which contradicts answer D, so C & D could not be the right answer.

So B & D is the correct answer.

kirrim

B & D are correct when used in combination with each other.

C is theoretically correct by itself, but does not work well with the other choices since it involves only a single AWS account, and the other possibly correct choices (B & D) both involve separate AWS accounts. The question specifically states “Which of the following options, when used together”. So C is out.

A is incorrect because you don’t want to disable root access to the child accounts (well, except for their access keys for API calls, deleting those is OK).

E is incorrect because it’s the exact opposite of a best practice to centralize logs/security audit info across multiple corporate AWS accounts:

https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

joe21

B & D

Paul

Its B, C and D really!

Trying to keep 3 divisions wholly seperated from each other in one VPC would be a nightmare of seperate subnets, route tables, security groups, tags/resource groups, IAM etc. You’d have seperate VPC’s and then use B and D for billing / access mgt

However based solely on the (poor) question it would be B and D

mutiger91

If you use separate accounts, you already have separate VPCs. The issue with C is that it assumes one corporate account.

Ryan

D, E
D – Cost oversight
E – IT governance

Amit

The division want to mainatain autonomy and descrete access for their set of services hence B cant be true leaving us with only D

Amit

I meant E, D is a given

Zane

A. Disable AWS root access? I don’t think that’s possible. They keep talking child accounts like they are nested. There’s no such thing as a master account with nested child accounts.

B. Would accomplish IT governance.

C. Seriously?

D. Consolidates billing

E. I have no idea what this accomplishes.

ANS: B,D

Sumit Kumar

B & D

Patty

“A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight??
Goals for Corporate:
* Governance of Resources
* Governance of Cost
Goals for Divisions
* Administrative Control
* Keep resources separate from other divisions

Wouldn’t C be needed to keep division resources separate? Agree B & D is correct.. just not sure where the “keep resources separate from other divisions” is covered.

Children accounts are in charge of resource seperately

Calvin Yu

B & D

B for IT governance
D for cost oversight