What combination of the following options meets the company’s needs with the LEAST effort?
(Choose two.)
Use a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
Enable all features of AWS Organizations and establish appropriate service control policies that filter IAM permissions for sub-accounts.
Consolidate all of the company’s AWS accounts into a single AWS account. Use tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model.
Explanations:
While using parameterized AWS CloudFormation templates can help enforce IAM permissions, it requires manual launching and management across multiple accounts, leading to higher administrative effort and potential inconsistencies. This option does not provide a centralized control mechanism for IAM usage across all accounts.
AWS Organizations allows the creation of a centralized management account (payer account) and the ability to manage billing and access control across multiple accounts effectively. It also facilitates the visibility of spending by grouping accounts into organizational units (OUs) and allows easy addition of new accounts for production workloads.
While tagging accounts for billing purposes and using Cost Explorer for chargebacks provides visibility into spending, it does not provide a centralized payment method or control for IAM usage. This option relies heavily on manual processes and lacks a cohesive strategy for managing security and permissions.
Enabling all features of AWS Organizations and establishing service control policies (SCPs) allows for centralized management of IAM permissions across all accounts. SCPs provide a mechanism to enforce permissions and limit actions at the organizational level, aligning with security requirements and minimizing administrative overhead.
Consolidating all accounts into a single AWS account eliminates the multi-account structure that is beneficial for separating environments (dev, test, production) and controlling IAM usage. Using a single account also complicates resource management and does not provide the required visibility into individual business unit spending.