Q73 — AWS SAP-C02 Ch.2

Question 73 of 75 | ← Chapter 2

Q223. A company has many separate AWS accounts and uses no central billing or management. Each AWS account hosts services for different departments in the company. The company has a Microsoft Azure Active Directory that is deployed A solutions architect needs to centralize billing and management of the company's AWS accounts. The company wants to start using identity federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys Which combination of steps will meet these requirements? (Select THREE)

Correct Answer: A. Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation, C. Deploy AWS Single Sign-On (AWS SSO) in the management account. Connect AWS SSO to the Azure Active Directory. Configure AWS SSO for automatic synchronization of users and groups, E. Create AWS Single Sign-On (AWS SSO) permission sets. Attach the permission sets to the appropriate AwS SSO groups and AWS accounts

Explanation

Option B suggests configuring each AWS account's email address to be aws+@example.com so that account management email messages and invoices are sent to the same place. Although this approach can help centralize email messages and invoices, it does not provide centralized billing or management features. Option D suggests deploying an AWS Managed Microsoft AD directory in the management account and sharing the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM). Although this approach provides a managed directory and directory sharing capabilities, it does not provide centralized billing or management features. Option F suggests configuring AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization. Although this approach provides centralized authentication and authorization, it does not provide centralized billing or management features. Therefore, options A, C, and E provide the most suitable solution by creating a new AWS account to serve as a management account, deploying an organization in AWS Organizations, inviting each existing AWS account to join the organization and ensuring that each account accepts the invitation, deploying AWS Single Sign-On (AWS SSO) in the management account, connecting AWS SSO to the Azure Active Directory, configuring AWS SSO for automatic synchronization of users and groups, creating AWS Single Sign-On (AWS SSO) permission sets, and attaching the permission sets to the appropriate AWS SSO groups and AWS accounts. This approach provides centralized management, identity federation, and temporary credentials for secure access to AWS resources across multiple accounts.