Which combination of steps should a solutions architect take 10 meet these requirements?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company wants to migrate to AWS.The company wants to use a multi-account structure with centrally managed access to all accounts and applications.The company also wants to keep the traffic on a private network.Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups.The company must create separate accounts for development.staging, production, and shared network.The production account and the shared network account must have connectivity to all accounts.The development account and the staging account must have access only to each other.

Which combination of steps should a solutions architect take 10 meet these requirements?

(Choose three.)

Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.

Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.

Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.

Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.

Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.

Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognoto user pools and Identity pools to manage access to accounts and between accounts.

Explanations:

Deploying a landing zone with AWS Control Tower establishes a multi-account structure and allows the organization to manage accounts centrally. This step is necessary for setting up the required accounts for development, staging, production, and shared networks.

While enabling AWS Security Hub can enhance security, it does not directly address the requirement for centrally managed access and traffic management. AWS CloudTrail does not enforce MFA login, so this option does not meet the needs.

Creating transit gateways and configuring route tables allows for the required connectivity between the production account and shared network account with all other accounts while maintaining traffic on a private network.

Setting up AWS IAM Identity Center (AWS Single Sign-On) with permission sets helps manage access and ensures MFA is enforced, which aligns with the company’s requirements for access management across accounts.

AWS Control Tower does not manage routing between accounts; it provides governance and best practices for multi-account setups. Additionally, AWS CloudTrail does not enforce MFA login, making this option unsuitable.

Creating IAM users and groups with MFA is a viable security practice but does not fulfill the requirement for centralized account management and does not adequately address the account structure needed for development and staging isolation.

2025-10-17

1 Comment

  1. Andrew
    Author

    It appears that the answer is:
    Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × one =