Home › Forums › AWS › AWS Certified Solutions Architect Professional › Q Review on AWS Organizations & Control Tower
-
Q Review on AWS Organizations & Control Tower
JR-TutorialsDojo updated 1 month ago 2 Members · 2 Posts -
Hi, wondering if it was possible to have this question reviewed as well.
Category: CSAP – Design Solutions for Organizational Complexity
A multinational manufacturing company has multiple AWS accounts in multiple AWS regions across North America, Europe, and Asia. The solutions architect has been tasked to set up AWS Organizations to centrally manage policies and have full administrative control across the multiple AWS accounts owned by the company, without requiring custom scripts and manual processes.
Which of the following options is the recommended implementation to achieve this requirement with the LEAST effort?
1. Set up AWS Organizations by sending an invitation to all member accounts of the company from the master account of your organization. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.
2. Use AWS Control Tower from the master account and enroll all the member AWS accounts of the company. AWS Control Tower will automatically provision the needed IAM permissions to have full administrative control across all member accounts.
3. Set up AWS Organizations by sending an invitation to the master account of your organization from each of the member accounts of the company. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.
4. Set up AWS Organizations by establishing cross-account access from the master account to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts.
The TD given answer is Option 1. However I argue that the question states there should be no manual processes and it should be achieved with the least effort. I believe Option 1 requires manual acceptance of invites as well as the manual creation of the IAM roles in the member accounts. Whereas Option 2, using Control Tower, it can “onboard” all the accounts centrally (no invites), will automatically provision an AWSControlTowerExecution role in the member accounts providing full admin privileges and it will allow you to centrally manage SCPs and Guardrails.
-
Hello m-agent,
Thank you for sharing your thoughts on this item. Take note that there are questions in the actual AWS exam that are difficult, tricky, and ambiguous. You have to be prepared to look for specific keywords or key phrases in order to find the most suitable answer. This is the style that we are trying to mimic in our practice tests. Some of the questions do not explicitly show the obvious keywords or phrases that will easily point to the answer.
Option 1 is about setting up AWS Organizations by sending invitations from the master account to all member accounts and creating an
OrganizationAccountAccessRole
IAM role in each member account. This option is recommended because it aligns with AWS best practices for centralized management and control. Although it may involve some initial manual steps, it offers seamless administrative control and policy management across all accounts once set up.Option 2, using AWS Control Tower, sets up and manages multiple AWS accounts. However, it will not automatically provision IAM permissions for all member accounts.
We recognize that this question can be further improved, and we will make the necessary updates, which should be reflected on the portal soon.
If you need further assistance or have additional suggestions, please share them with us. We are dedicated to improving our practice tests based on user feedback.
Best regards,
JR @ Tutorials Dojo
Log in to reply.