AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Acme Group has merged its healthcare business (subject to HIPAA) and its payment-processing subsidiary (subject to PCI-DSS). The company already uses AWS Organizations with all features enabled and operates centralized log-archive and security-tooling accounts in a dedicated Security OU. Leadership wants to 1) apply and audit guardrails for HIPAA and PCI workloads independently, 2) continue sharing the existing security services, 3) receive a single consolidated bill for the entire conglomerate, and 4) avoid additional operational overhead. Which multi-account and OU strategy best satisfies these requirements?
Keep all workload accounts in the current Workloads OU, attach both HIPAA and PCI-DSS SCP sets to that OU, and rely on cost-allocation tags to distinguish the two subsidiaries.
Place all healthcare and payment workloads in separate VPCs inside a single shared AWS account, enable AWS Control Tower detective guardrails, and use an AWS Cost Category to allocate each subsidiary's spend.
Expand the current organization by creating two top-level workload OUs (Healthcare and Payments), move the respective workload accounts into each OU, retain the Security OU with the shared log-archive and security-tooling accounts, and attach HIPAA-specific SCPs to the Healthcare OU and PCI-DSS SCPs to the Payments OU while using the existing management account for consolidated billing.
Create a separate AWS Organization for the payment subsidiary, enable consolidated billing in each organization, and share the log-archive account between the two organizations by using AWS Resource Access Manager.
A single AWS Organization keeps billing and top-level governance centralized, so the management account can continue to generate one consolidated invoice. Creating separate top-level workload OUs-one for HIPAA-regulated healthcare workloads and another for PCI-regulated payment workloads-provides clear isolation and lets the platform team attach distinct SCP sets to each OU for the relevant compliance framework. The existing Security OU can remain unchanged, allowing both subsidiaries to consume the shared log-archive and security-tooling accounts without duplication. Spinning up a second AWS Organization would eliminate the single bill and double the effort required to maintain guardrails, while keeping all workloads in one flat OU or (worse) in a single shared account would fail to provide the necessary regulatory isolation and granular policy control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are SCPs and how do they enforce compliance in AWS Organizations?
Open an interactive chat with Bash
Why is it necessary to create separate OUs for HIPAA and PCI-DSS workloads?
Open an interactive chat with Bash
How does AWS Organizations enable consolidation of billing while maintaining compliance guardrails?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access