Which combination of actions should a solutions architect take to meet these requirements?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A company is building dozens of new workloads by using a variety of AWS services.Each workload will belong to a separate business unit.The company needs to minimize costs as each business unit experiments with ways to innovate.The company also needs to maximize scalability for its security team so that the security team can identify and respond to threats as quickly as possible for all the workloads.

Which combination of actions should a solutions architect take to meet these requirements?

(Choose three.)

Set up a multi-account environment by using AWS Organizations. Organize accounts into the following OUs: Security, Infrastructure, Workloads, and Exception.

Set up a multi-account environment by using AWS Organizations. Organize accounts into the following SCPs: Security, Infrastructure, Workloads, and Exception.

Configure AWS Trusted Advisor to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP at the root of the organization with a condition that matches the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.

Use AWS Budgets alerts to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP to the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.

Turn on Amazon GuardDuty in each account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the topic so that the security team can receive alerts.

Create a delegated administrator account for Amazon GuardDuty in the organization in AWS Organizations. Create an Amazon Simple Notification Service (Amazon SNS) topic in this account. Subscribe the security team to the topic so that the security team can receive alerts.

Explanations:

Setting up a multi-account environment with AWS Organizations using organizational units (OUs) for Security, Infrastructure, Workloads, and Exception enables centralized management, cost allocation, and streamlined security policies across accounts.

Using AWS Budgets alerts with Lambda to move accounts exceeding a budget threshold to an Exception OU, combined with a Service Control Policy (SCP) limiting access to core services, helps control costs efficiently.

Creating a delegated administrator for Amazon GuardDuty in AWS Organizations provides centralized security monitoring, while using SNS for alerts enables the security team to receive notifications promptly across workloads.

Organizational units (OUs), not SCPs, are used to organize accounts in AWS Organizations; SCPs are policies applied to OUs to control permissions.

AWS Trusted Advisor cannot move accounts or trigger actions based on budgets; AWS Budgets is the appropriate tool for budget-based actions.

Enabling GuardDuty per account would work, but it does not offer centralized management. Using a delegated admin account in AWS Organizations (Option F) is more scalable and efficient for central security notifications.

2026-03-20

2 Comments

  1. Adam
    Author

    I guess:
    Set up a multi-account environment by using AWS Organizations. Organize accounts into the following OUs: Security, Infrastructure, Workloads, and Exception.

  2. Scott
    Author

    I infer that the answer is:
    Set up a multi-account environment by using AWS Organizations. Organize accounts into the following OUs: Security, Infrastructure, Workloads, and Exception.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × one =