Which of the following should the Cloud Center of Excellence team do to BEST address their requirements in a centralized way?
(Choose two.)
Control all AWS account root user credentials. Assign AWS IAM users in the account of each user who needs to access AWS resources. Follow the policy of least privilege in assigning permissions to each user.
Tag all AWS resources with details about the business unit, project, and environment. Send all AWS Cost and Usage reports to a central Amazon S3 bucket, and use tools such as Amazon Athena and Amazon QuickSight to collect billing details by business unit.
Use the AWS Marketplace to choose and deploy a Cost Management tool. Tag all AWS resources with details about the business unit, project, and environment. Send all AWS Cost and Usage reports for the AWS accounts to this tool for analysis.
Set up AWS Organizations. Enable consolidated billing, and link all existing AWS accounts to a master billing account. Tag all AWS resources with details about the business unit, project and environment. Analyze Cost and Usage reports using tools such as Amazon Athena and Amazon QuickSight, to collect billing details by business unit.
Using a master AWS account, create IAM users within the master account. Define IAM roles in the other AWS accounts, which cover each of the required functions in the account. Follow the policy of least privilege in assigning permissions to each role, then enable the IAM users to assume the roles that they need to use.
Explanations:
Controlling AWS account root user credentials is not recommended, as it violates best practices for managing access and security. Root account access should be limited and IAM users with appropriate roles should be used for access control.
While tagging AWS resources and sending Cost and Usage reports to a central bucket is a good practice, it does not address central management of AWS accounts or permissions, which is a higher priority.
Using the AWS Marketplace Cost Management tool is not the most efficient way to address centralized management of AWS accounts and permissions. This option lacks focus on managing multiple AWS accounts in a structured, secure way.
Setting up AWS Organizations for consolidated billing and linking AWS accounts addresses centralized management. Tagging resources for billing purposes and using tools like Athena and QuickSight aligns with best practices for cost management.
Using a master AWS account to manage IAM roles across AWS accounts allows for better centralization of management and permissions, ensuring least privilege access without using root credentials.