AWS Certified Solutions Architect – Professional SAP-C01 – Question503

A Solutions Architect is designing a multi-account structure that has 10 existing accounts. The design must meet the following requirements:

  • Consolidate all accounts into one organization.
  • Allow full access to the Amazon EC2 service from the master account and the secondary accounts.
  • Minimize the effort required to add additional secondary accounts.

Which combination of steps should be included in the solution? (Choose two.)

A.
Create an organization from the master account. Send invitations to the secondary accounts from the master account. Accept the invitations and create an OU.
B. Create an organization from the master account. Send a join request to the master account from each secondary account. Accept the requests and create an OU.
C. Create a VPC peering connection between the master account and the secondary accounts. Accept the request for the VPC peering connection.
D. Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU.
E. Create a full EC2 access policy and map the policy to a role in each account. Trust every other account to assume the role.

Correct Answer: AD

Explanation:

Explanation: There is a concept of Permission Boundary vs Actual IAM Policies. That is, we have a concept of “Allow” vs “Grant”. In terms of boundaries, we have the following three boundaries:
1. SCP
2. User/Role boundaries
3. Session boundaries (ex. AssumeRole … )
In terms of actual permission granting, we have the following:
1. Identity Policies
2. Resource Policies