Which solution meets these requirements with the LEAST amount of operational overhead?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company is migrating its infrastructure to the AWS Cloud.The company must comply with a variety of regulatory standards for different projects.The company needs a multi-account environment.A solutions architect needs to prepare the baseline infrastructure.The solution must provide a consistent baseline of management and security, but it must allow flexibility for different compliance requirements within various AWS accounts.The solution also needs to integrate with the existing on-premises Active Directory Federation Services (AD FS) server.

Which solution meets these requirements with the LEAST amount of operational overhead?

Create an organization in AWS Organizations. Create a single SCP for least privilege access across all accounts. Create a single OU for all accounts. Configure an IAM identity provider for federation with the on-premises AD FS server. Configure a central logging account with a defined process for log generating services to send log events to the central account. Enable AWS Config in the central account with conformance packs for all accounts.

Create an organization in AWS Organizations. Enable AWS Control Tower on the organization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Add OUs as necessary. Connect AWS IAM Identity Center (AWS Single Sign-On) to the on-premises AD FS server.

Create an organization in AWS Organizations. Create SCPs for least privilege access. Create an OU structure, and use it to group AWS accounts. Connect AWS IAM Identity Center (AWS Single Sign-On) to the on-premises AD FS server. Configure a central logging account with a defined process for log generating services to send log events to the central account. Enable AWS Config in the central account with aggregators and conformance packs.

Create an organization in AWS Organizations. Enable AWS Control Tower on the organization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Configure an IAM identity provider for federation with the on-premises AD FS server.

Explanations:

While this option establishes a multi-account environment with a single SCP and IAM identity provider for federation with AD FS, it lacks the scalability and built-in best practices provided by AWS Control Tower. It also requires manual management of SCPs and OUs, increasing operational overhead.

This option leverages AWS Control Tower, which simplifies account management by providing a pre-configured environment with best practices, including guardrails and compliance. It integrates seamlessly with AWS IAM Identity Center for AD FS federation, minimizing operational overhead while ensuring compliance flexibility.

Although this option establishes a multi-account environment and connects AWS IAM Identity Center to AD FS, it does not utilize AWS Control Tower. The manual setup of SCPs and central logging, along with enabling AWS Config, adds operational complexity compared to the automated setup provided by Control Tower.

This option also utilizes AWS Control Tower, which is beneficial, but it proposes using an IAM identity provider for federation instead of AWS IAM Identity Center. This increases operational overhead and complicates user management compared to the more integrated approach of using AWS IAM Identity Center with AD FS.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + 20 =