AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company is migrating 300 on-premises servers to AWS. An AWS Control Tower landing zone with AWS Organizations is already in place.
A dedicated member account named Migration must be able to administer AWS Application Migration Service (AWS MGN) across every account while the organization's management account must remain locked down. To reduce the attack surface, the Migration account must be prevented from launching or modifying any AWS resources other than those required by AWS MGN.
Which approach meets all of these requirements with the least administrative effort?
Configure AWS Application Migration Service only in the management account and use IAM permission boundaries to limit what migration users can do inside that account.
Publish migration CloudFormation templates through AWS Service Catalog in the Migration account and deploy them to each workload account with StackSets; rely on the default FullAWSAccess SCP.
From the management account, enable trusted access for AWS Application Migration Service and register the Migration account as AWS MGN's delegated administrator. Attach an SCP to the Migration account that denies all actions except the AWS MGN APIs plus minimal read-only Organizations and STS permissions.
In every member account, create a cross-account IAM role that grants AWS ApplicationMigrationFullAccess and allow the Migration account to assume those roles. Do not configure delegated administrator or SCPs.
Enabling trusted access for AWS MGN and then registering the Migration account as the delegated administrator allows that single account to run Global View and perform all migration tasks across the organization without using the management account. Because the Migration account is a member account, you can attach a service-control policy (SCP) that explicitly denies every action except the AWS MGN APIs (for example, mgn:*) plus read-only Organizations and STS actions that Global View requires. SCPs apply to delegated-administrator member accounts but never to the management account, so this design both enforces least privilege and keeps the management account isolated.
The other options fail to meet one or more requirements:
Creating per-account IAM roles (option B) requires manual setup in hundreds of accounts and offers no centralized Global View.
Leaving AWS MGN in the management account (option C) violates the locked-down requirement and cannot be restricted by SCPs.
Service Catalog with StackSets (option D) does not grant the Migration account organization-wide AWS MGN administration and still needs additional guardrails.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a delegated administrator in AWS Organizations?
Open an interactive chat with Bash
What are service control policies (SCPs)?
Open an interactive chat with Bash
What is trusted access for AWS services?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access