Q58 — AWS SAP-C02 Ch.3
Question 58 of 75 | ← Chapter 3
Q283. A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA)is required at login, and specific roles are assigned to user groups. The company must create separate accounts for development, staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts The development account and the staging account must have access only to each other. Which combination of steps should a solutions architect take to meet these requirements? (Select THREE)
- A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations. ✓
- B. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
- C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables. ✓
- D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts. ✓
- E. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
- F. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognito user pools and identity pools to manage access to accounts and between accounts
Correct Answer: A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations., C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables., D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts.
Explanation
The three steps that a solutions architect should take to meet the company's requirements are: A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations. By deploying AWS Control Tower, the company can create a multi-account structure with centralized management and governance. The landing zone is pre-configured for security and compliance best practices, including setting up private networks. AWS Control Tower also provides an Organizational Unit (OU) structure, which enables the company to manage permissions and access controls across accounts. C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables. Transit Gateway is a service that allows the company to connect multiple VPCs and VPN connections in a single hub. By creating Transit Gateway VPC attachments in each account, the company can enable connectivity between VPCs in different accounts while keeping the traffic on a private network. With this solution, the production account and shared network account can have connectivity to all accounts, while development and staging accounts can have access only to each other. D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts. AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple accounts and applications. It simplifies user access by enabling users to sign in once using their existing corporate credentials, and then providing access to all of their authorized accounts and applications. By creating appropriate permission sets with required MFA for existing accounts, the company can assign specific roles to user groups and enforce MFA at login. Options B, E, and F are incorrect because: B. AWS Security Hub is a security service that helps the company to consolidate security alerts and findings across accounts and services. However, it does not manage cross-account access or enforce MFA login. E. AWS Control Tower is a service that helps the company to set up and govern a secure, compliant multi- account environment. It does not manage routing between accounts or enforce MFA login. F. IAM users and groups can be used to manage access to AWS resources within an account. However, they are not suitable for managing access between accounts. Amazon Cognito is a service that provides user sign-up, sign-in, and access control. However, it does not provide