What combination of the following options meet the company’s needs with the LEAST effort?
(Choose two.)
Use a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
Enable all features of AWS Organizations and establish appropriate service control policies that filter IAM permissions for sub-accounts.
Consolidate all of the company’s AWS accounts into a single AWS account. Use tags for billing purposes and IAM’s Access Advisor feature to enforce the least privilege model.
Explanations:
While parameterized CloudFormation templates can help manage IAM permissions, this method requires significant effort to maintain and update the templates across multiple accounts. It does not provide a centralized mechanism for IAM control or billing management.
Using AWS Organizations allows the company to create a centralized billing structure (payer account) while maintaining separate accounts for each business unit. This simplifies cost allocation and enables easy creation of new accounts for production workloads.
While tagging accounts for billing purposes and enabling Cost Explorer provides visibility into spending, it does not offer a centralized billing method or enforce IAM controls effectively across accounts. Each account remains siloed, complicating management.
Enabling AWS Organizations with service control policies allows for centralized IAM permission management across all accounts, ensuring security compliance while also managing costs effectively through a single billing method.
Consolidating all accounts into a single AWS account removes the benefits of isolation and flexibility that multiple accounts provide. It complicates cost allocation and IAM management without addressing the needs of distinct business units.