AWS Solutions Architect Certification Exam | IT Governance and Cost Oversight for AWS Resources

Corporate IT Governance and Cost Oversight for AWS Resources

Q: A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.Each division has its own AWS account and there is a need to ensure that the security policies are kept in place at the Account Level.How can you achieve this? Choose 2 answers from the options given below.

Use AWS organizationsUse Service control policies.

Prev Question Next Question

Question

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.

Each division has its own AWS account and there is a need to ensure that the security policies are kept in place at the Account Level.

How can you achieve this? Choose 2 answers from the options given below.

Answers

A. Use AWS organizations

B. Club all divisions under a single account instead

C. Use IAM Policies to segregate access

D. Use Service control policies.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

With AWS Organizations, you can centrally manage policies across multiple AWS accounts without having to use custom scripts and manual processes.

For example, you can apply service control policies (SCPs) across multiple AWS accounts that are members of an organization.

SCPs allow you to define which AWS service APIs can and cannot be executed by AWS Identity and Access Management (IAM) entities (such as IAM users and roles) in your organization's member AWS accounts.

SCPs are created and applied from the master account, which is the AWS account that you used when you created your organization.

Option B is incorrect since the question mentions that you need to use separate AWS accounts.

Option C is incorrect since you need to use service control policies."AWS IAM doesn't provide the facility to define access permissions to that minute level i.e., which AWS service APIs can and cannot be executed by IAM entities."

For more information on how to use service control policies, please visit the below URL.

https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/

To achieve corporate IT governance and cost oversight of all AWS resources consumed by its divisions while ensuring that the security policies are kept in place at the Account Level, you can use the following solutions:

A. Use AWS Organizations: AWS Organizations helps in centrally managing multiple AWS accounts. It allows you to consolidate billing and set up a hierarchy of accounts for the organization. You can apply policies to the entire organization or specific accounts, and these policies can govern various aspects of the AWS resources, such as networking, security, and compliance. With AWS Organizations, you can easily apply security policies to all AWS accounts, automate account creation and management, and consolidate billing and payment.

D. Use Service Control Policies: Service Control Policies (SCPs) are another way to manage AWS resources at scale. SCPs allow you to set permissions and restrictions on specific services or actions across multiple AWS accounts in your organization. SCPs are applied to an AWS Organizations organizational unit (OU) or an account, and the policies can be used to prevent users from performing actions that violate security policies or incur unexpected costs. SCPs can be used to enforce security and compliance requirements across all AWS accounts in an organization, ensuring that all divisions are following the same security policies.

Therefore, the correct answers to the question are A and D. By using AWS Organizations and Service Control Policies, you can achieve corporate IT governance, cost oversight, and security policies at the Account Level for all AWS resources consumed by the divisions.

Prev Question Next Question