Q67 — AWS SCS-C02 Ch.1
Question 67 of 100 | ← Chapter 1
A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time. The company issues a new security policy that contains the following requirements: • No AWS account should use a VPC within the AWS account for workloads. • The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets. • No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC. • The centrally managed VPC should reside in an existing AWS account that is named Account-A within an organization. The company uses an AWS CloudFormation template to create a VPC that contains multiple subnets in Account-A. This template exports the subnet IDs through the CloudFormation Outputs section. Which solution will complete the security setup to meet these requirements?
- A. Use a CloudFormation template in the member accounts to launch workloads. Configure the template to use the Fn::ImportValue function to obtain the subnet ID values.
- B. Use a transit gateway in the VPC within Account-A. Congure the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads. 
- C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Congure the member accounts to use the shared subnets to launch workloads. ✓
- D. Create a peering connection between Account-A and the remaining member accounts. Congure the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads.
Correct Answer: C. Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Congure the member accounts to use the shared subnets to launch workloads.
Explanation
AWS Resource Access Manager (AWS RAM)允许跨账户共享资源。根据题干要求,必须通过Account-A的中心VPC提供子网,且各账户无法修改其他账户的资源。AWS RAM支持共享子网到整个组织,成员账户可将资源部署到共享子网,不同账户的资源默认隔离,无法相互修改。选项A的Fn::ImportValue仅限于同一账户内跨堆栈引用;选项B的Transit Gateway用于网络连接,不直接共享子网;选项D的VPC对等连接需手动配置路由且不限制修改权限。AWS官方文档指出,使用AWS RAM共享子网是此类场景的标准做法。