Which account creation process meets these requirements and allows for changes?
Create a new AWS Organizations account. Create groups in Active Directory and assign them to roles in AWS to grant federated access. Require each team to tag their resources, and separate bills based on tags. Control access to resources through IAM granting the minimally required privilege.
Create individual accounts for each team. Assign the security account as the master account, and enable consolidated billing for all other accounts. Create a cross-account role for security to manage accounts, and send logs to a bucket in the security account.
Create a new AWS account, and use AWS Service Catalog to provide teams with the required resources. Implement a third-party billing solution to provide the Finance team with the resource use for each team based on tagging. Isolate resources using IAM to avoid account sprawl. Security will control and monitor logs and permissions.
Create a master account for billing using Organizations, and create each team’s account from that master account. Create a security account for logs and cross-account access. Apply service control policies on each account, and grant the Security team cross-account access to all accounts. Security will create IAM policies for each account to maintain least privilege access.
Explanations:
Using Active Directory groups for federated access and relying on tagging for billing does not fully isolate accounts or resources. It also lacks proper separation for resource usage and control, and IAM alone may not meet the least privileged access requirement as effectively as a more structured approach like AWS Organizations.
Although creating individual accounts for each team provides resource isolation, relying on a single security account for cross-account access and logging does not provide the most scalable solution. It also doesn’t use service control policies (SCPs) for enforcing least privilege across teams.
Using AWS Service Catalog helps manage resources, but it doesn’t address account isolation properly. The third-party billing solution adds complexity and doesn’t provide native AWS billing separation, while IAM alone is insufficient to avoid account sprawl or manage resource access effectively.
This option leverages AWS Organizations to create individual accounts for each team, ensuring proper resource isolation and billing separation. Using service control policies (SCPs) enforces compliance with least privilege access, and security account for logs and cross-account access aligns with best practices for centralized security management.
I calculate that the answer is:
Create a master account for billing using Organizations, and create each team’s account from that master account. Create a security account for logs and cross-account access. Apply service control policies on each account, and grant the Security team cross-account access to all accounts. Security will create IAM policies for each account to maintain least privilege access.