AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company uses AWS Organizations with individual workload accounts and a dedicated networking account. The networking account owns an AWS Transit Gateway (TGW) that must provide connectivity between on-premises resources and VPCs in each workload account. The networking team must remain the only group that can view or change TGW route tables and existing attachments. Application teams should be able to create and administer the attachment for their own VPCs without relying on the networking team to provision resources. The solution must minimize ongoing operational effort and rely solely on native AWS services.
Which approach meets these requirements?
Use AWS Resource Access Manager in the networking account to share the existing TGW with the workload accounts and grant each account IAM permission to create and manage its own TGW VPC attachment.
Deploy a separate TGW in every workload account and establish peering attachments between each application TGW and the networking TGW to achieve full-mesh connectivity.
Create VPC peering connections from each workload VPC to a hub VPC in the networking account that is already attached to the TGW, and update all VPC route tables accordingly.
Designate every workload account as an Amazon VPC delegated administrator in AWS Organizations so each team can attach its VPC to the TGW and manage TGW route tables directly.
AWS Resource Access Manager (RAM) lets the TGW owner share the transit gateway with other AWS accounts or organizational units. When a TGW is shared, principals in recipient accounts can call CreateTransitGatewayVpcAttachment to attach their own VPCs, yet they cannot view or modify TGW route tables or other accounts' attachments. This gives application teams the autonomy they need while leaving full control of the TGW's routing logic with the networking team.
Delegated-administrator settings for Amazon VPC do not grant per-account attachment permissions and would expose TGW route tables to other teams. VPC peering to a hub VPC requires the networking team to create and manage every peering connection and does not scale well. Deploying separate TGWs and peering them together adds cost and complexity while still requiring central coordination. Therefore, sharing the existing TGW with AWS RAM and granting limited IAM permissions is the most efficient and least privileged solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Resource Access Manager (RAM) and how does it enable resource sharing across accounts?
Open an interactive chat with Bash
Why is AWS Transit Gateway (TGW) preferred over alternatives like VPC Peering or multiple TGWs in this scenario?
Open an interactive chat with Bash
What IAM permissions must be granted to workload accounts for creating and managing TGW VPC attachments?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access