A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.
The divisions want to maintain administrative control of the discrete AWS resources they consume and keep
those resources separate from the resources of other divisions. Which of the following options, when used
together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and
cost oversight? (Choose two.)
Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
Enable IAM cross-account access for all corporate IT administrators in each child account.
Create separate VPCs for each division within the corporate IT AWS account.
Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.
Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’
B & D are correct when used in combination with each other.
C is theoretically correct by itself, but does not work well with the other choices since it involves only a single
AWS account, and the other possibly correct choices (B & D) both involve separate AWS accounts. The
question specifically states “Which of the following options, when used together”. So C is out.
A is incorrect because you don’t want to disable root access to the child accounts (well, except for their access
keys for API calls, deleting those is OK).
E is incorrect because it’s the exact opposite of a best practice to centralize logs/security audit info across
multiple corporate AWS accounts: