Organisational Complexity

A company is setting up a new multi-account environment. They want to automate the provisioning of new accounts with standardized security baselines, VPCs, and IAM roles. Which AWS service is BEST suited for this?

An organization wants to share a central AWS Transit Gateway and Amazon Route 53 Resolver rules across 50 AWS accounts. What is the MOST efficient way to manage this sharing?

An enterprise is setting up a centralized logging architecture using AWS Organizations. They want all VPC Flow Logs, AWS CloudTrail logs, and Amazon Route 53 DNS logs from all member accounts to be sent to a central Amazon S3 bucket in a dedicated 'Log Archive' account. Which TWO configurations are required to achieve this securely? (Select TWO)

An enterprise is migrating a complex portfolio of applications to AWS. They want to establish a robust tagging strategy to allocate costs, manage access, and automate operations. Which FOUR practices should they implement to enforce and utilize this tagging strategy effectively? (Select FOUR)

A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their AWS Organization. Which service facilitates this sharing?

An architect is designing a multi-account structure. The security team requires that all AWS CloudTrail logs from all accounts be stored in a centralized, immutable S3 bucket in a dedicated 'Log Archive' account. What is the MOST secure and scalable way to implement this?

A company is setting up a shared services VPC. They want to allow other VPCs in their AWS Organization to resolve internal DNS names hosted in Amazon Route 53 Private Hosted Zones within the shared services VPC. Which TWO steps are required? (Select TWO)

An architect is designing a multi-account strategy using AWS Control Tower. They need to provision new accounts automatically, ensure specific baseline VPCs are deployed in every new account, and integrate with their third-party identity provider (IdP). Which THREE AWS services or features will be utilized? (Select THREE)

A company is designing a multi-account AWS environment. They want to ensure that all VPC Flow Logs, AWS CloudTrail logs, and Amazon Route 53 DNS query logs are stored in a centralized S3 bucket in a dedicated Log Archive account. Which AWS service provides a managed solution to set up this baseline architecture?

A company is setting up a new multi-account AWS environment. They want to automate the creation of accounts with baseline security configurations, centralized logging, and pre-configured VPCs. Which AWS service is BEST suited for this?

An enterprise uses AWS Control Tower. They need to customize the account vending process to automatically deploy a specific third-party security agent on all EC2 instances created in new accounts. What is the BEST approach?

A company has a centralized logging account. They want to ensure that AWS CloudTrail logs from all 100 member accounts in their Organization are sent to an S3 bucket in the logging account, and member account admins cannot disable this. What is the BEST solution?

A company is setting up AWS Control Tower. They want to implement a shared services VPC for centralized Active Directory and security tools. Which TWO steps are required to integrate this with the Control Tower environment? (Select TWO)

A company is designing a multi-account strategy. They want to isolate their production environment from development. They also need a centralized way to manage DNS and network routing. Which THREE account types should they create according to AWS best practices? (Select THREE)

A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that all VPC flow logs across all member accounts are centralized into a single Amazon S3 bucket in a dedicated Log Archive account. The solution must prevent member account administrators from modifying or deleting the flow logs. What is the MOST operationally efficient solution?

A company is setting up a shared services VPC in a central networking account. This VPC will host Active Directory domain controllers and a central logging server. The company wants to share these resources with 50 other VPCs across different AWS accounts within their Organization. They want to avoid complex routing and overlapping IP address issues. Which combination of services should be used? (Select TWO)

An enterprise is using AWS Control Tower to manage its multi-account environment. They need to implement a custom security control: all new Amazon S3 buckets must have S3 Object Lock enabled for compliance reasons. This control is not available as a standard Control Tower guardrail. How should the Solutions Architect implement this automatically across all existing and future accounts?

An enterprise has a central logging account where all AWS CloudTrail logs from 100 member accounts are stored in a single S3 bucket. The security team needs to query these logs using Amazon Athena. However, they are encountering KMS decryption errors when Athena tries to read the logs. The S3 bucket is encrypted with an AWS KMS Customer Managed Key (CMK). What is the MOST likely cause of the error?

An enterprise has a strict compliance requirement: no Amazon EC2 instances can be launched without a specific set of tags (CostCenter and ProjectID). If a user attempts to launch an instance without these tags, the launch must be blocked immediately. How can the Solutions Architect enforce this across the entire AWS Organization?

An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They need to provision isolated environments for 50 different development teams. Each team requires a standard set of VPCs, IAM roles, and security tools. The provisioning process must be automated and self-service for the team leads. Which approach is MOST operationally efficient?

An enterprise is designing a multi-account strategy. They want to isolate workloads based on data sensitivity (Public, Internal, Confidential). They also need a centralized networking hub and a dedicated security tooling account. Which AWS Organizations Organizational Unit (OU) structure aligns BEST with AWS Well-Architected multi-account best practices?

An enterprise is using AWS Control Tower to manage its multi-account environment. A new compliance regulation requires that all Amazon S3 buckets in the organization must have versioning enabled. If a user attempts to create a bucket without versioning, the creation must be blocked. Which mechanism should the Architect use to enforce this?

A startup is growing rapidly and needs to establish a multi-account AWS environment based on best practices. They want automated account provisioning, centralized logging, and pre-configured security guardrails. Which service provides the MOST comprehensive solution?

In an AWS Organizations setup, the management account needs to ensure that no member account can launch EC2 instances outside of the us-east-1 and eu-west-1 regions. How should this be enforced?

A company has 100 AWS accounts. They want to centralize all AWS CloudTrail logs into a single S3 bucket in a dedicated Log Archive account. The solution must ensure that member accounts cannot modify or delete the logs. What is the BEST approach?

A company is setting up a multi-account AWS environment using AWS Control Tower. They need to ensure that developers in the 'Sandbox' OU can experiment with new services, but they must not be able to create resources in regions outside of us-east-1 and eu-west-1. How should the Solutions Architect enforce this requirement?

An enterprise is adopting AWS Control Tower to manage its multi-account environment. The security team wants to automatically detect and remediate any Amazon S3 buckets that do not have versioning enabled. How should this be implemented within the Control Tower environment?

A company is designing a multi-account strategy using AWS Organizations. They want to isolate their production environment from their development environment. They also need a centralized logging account to store all AWS CloudTrail logs securely. Which combination of actions represents the BEST practice for this architecture? (Select THREE)