Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Use AWS Organizations to create an organization in the parent account for each LOB. Then, invite each LOB account to the appropriate organization.
Use AWS Organizations to create a single organization in the parent account. Then, invite each LOB’s AWS account to pin the organization.
Implement service quotas to define the services and features that are permitted and apply the quotas to each LOB as appropriate.
Create an SCP that allows only approved services and features, then apply the policy to the LOB accounts. Enable consolidated billing in the parent account’s billing console and link the LOB accounts.
Explanations:
While using AWS Organizations to create separate organizations for each LOB might seem beneficial, it does not allow for consolidated billing or the breaking out of costs per LOB on a single invoice, which is a requirement.
Creating a single organization in the parent account and inviting each LOB’s AWS account allows for consolidated billing. This setup ensures that all accounts are managed centrally, facilitating cost allocation for each LOB in the invoice.
Implementing service quotas does not inherently enforce governance policies or restrict access to services across multiple accounts effectively. This option alone does not fulfill the requirement of delegating full administrator permissions while also maintaining restrictions as per governance policy.
Creating a Service Control Policy (SCP) to allow only approved services while applying this policy to the LOB accounts ensures that the governance policies are enforced. Enabling consolidated billing in the parent account allows for a single invoice that breaks out costs for each LOB account.
I rate that the answer is:
Use AWS Organizations to create a single organization in the parent account. Then, invite each LOB’s AWS account to pin the organization.