AWS Certified Solutions Architect Professional SAP-C02 Practice Question
An enterprise with several business units is migrating from on-premises data centers to AWS. The cloud governance team must implement a multi-account governance model that will centrally enforce preventive and detective controls across all AWS accounts. The solution must store all AWS CloudTrail and AWS Config logs in a single, dedicated, and immutable logging account. It needs to provide security engineers with read-only cross-account access and a consolidated security-posture view for the entire organization. Additionally, it must allow business units to provision new AWS accounts and pre-approved workloads through a self-service workflow, while minimizing ongoing operational overhead for the governance team.
Which solution will meet all these requirements?
Keep all workloads in a single AWS account, enforce least-privilege access with IAM permission boundaries, enable AWS Config rules and GuardDuty, and store CloudTrail logs in an S3 bucket encrypted with SSE-KMS.
Deploy AWS Control Tower to build a landing zone that creates dedicated Log Archive and Audit shared accounts, enable mandatory and strongly recommended guardrails, designate the Audit account as the delegated administrator for AWS Security Hub, and let business units provision new accounts and standardized workloads through Account Factory.
Create a custom landing zone by using AWS Organizations with service control policies, host an organization-trail CloudTrail and AWS Config aggregator in the management account, and have the central governance team provision new accounts through the Organizations CreateAccount API.
Implement the AWS Landing Zone Accelerator solution, push AWS Config rules to each account with CloudFormation StackSets, require each business unit to manually forward logs to a shared S3 bucket, and rely on AWS Budgets alerts for consolidated security visibility.