Which solution will meet these requirements with the LEAST operational overhead?
Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
Use AWS Organizations to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
Use AWS Control Tower to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.
Use AWS Organizations to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.
Explanations:
AWS Control Tower simplifies account provisioning and applies guardrails automatically. By creating a networking account with a VPC and using AWS RAM to share subnets with workload accounts, it enables centralized management of networking components while maintaining security controls with minimal operational overhead.
While AWS Organizations can deploy accounts, it does not provide the same level of built-in guardrails and automation for account creation as AWS Control Tower. Using AWS RAM for sharing subnets is valid, but the lack of automatic security controls makes this option less optimal.
Although AWS Control Tower is used for deploying accounts, deploying a VPC in each workload account increases operational complexity and does not align with the requirement for centralized management of networking components. The configuration for routing through an inspection VPC also adds overhead.
Similar to Option C, while AWS Organizations allows account creation, deploying a VPC in each workload account complicates management. It lacks the automation and guardrail features that AWS Control Tower provides, leading to higher operational overhead compared to a centralized VPC solution.
I compute that the answer is:
Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.