AWS Certified Solutions Architect

Associate Exam Prep

AWS Administration Toolbox

What We Will Cover: • Serverless Computing
• Stateless Designs
• AWS Organizations
• CloudWatch and CloudTrail
• Key Management Service
• AWS Secrets Manager
• AWS Cognito
• AWS Trusted Advisor
• AWS Config
• AWS Macie
• AWS CloudFormation / Service
Catalog
 Workload Security Services

Amazon AWS Trusted AWS AWS Amazon Amazon Amazon AWS Secrets
Macie Advisor Config CloudTrail CloudWatch Cognito GuardDuty Manager
Serverless Computing
 No servers to
Pay by usage
manage
Serverless
Computing
Concepts Built-in scale
Built-in high-
availability
Amazon API
Gateway
• Create a unified API that acts
as a “front door” for
applications.
• Access data, business logic, or
functionality from your back-
end services.
• RESTful APIs, HTTP APIs and
REST APIs, as well as an option
to create WebSocket APIs.
• Amazon API Gateway provides
throttling at multiple levels.
 • API Gateway can process hundreds of thousands of
concurrent API calls.
• API Gateway and Lambda create application-facing
serverless infrastructure.
• Private API endpoints can be accessed from a VPC
API Cheat using an interface VPC endpoint.
Sheet • API requests can be throttled to prevent
overloading your backend services.
• API Gateway logs track performance metrics for the
backend, including API calls, latency, and error
rates.
 No services, EC2 instances to manage – focus on
creating functions

Background scaling handled by AWS

Sub-second metering – pay for what you use

AWS Lambda
Bring your own code- Node.js, Java, Ruby, Python, C#,
Go

Integrate with other AWS services

Select power rating from CPU and network will be

128 MB to 1.5 GB proportionally allocated
AWS Lambda Cheat Sheet
• S3 bucket: An object is uploaded to a bucket, which triggers a Lambda
function.

• DynamoDB table: An entry is made in a DynamoDB table, triggering a

Lambda function that performs a custom calculation.

• Amazon Kinesis: AWS Lambda can be triggered when data is added to an

Amazon Kinesis stream.

• Amazon SNS: AWS Lambda can be triggered when a message is published

to an SNS topic.

• Amazon API Create RESTful APIs that can be accessed over HTTPS use
Lambda functions to access backend AWS services.

• Application Load Balancer (ALB): Incoming mobile application requests

can be directed to AWS Lambda functions hosted by a target group.
Amazon Simple
Storage Service (S3)
• Host website application in S3 bucket
• S3 Object Lock prevents deletion of an object
version for the duration of a specified retention
period or indefinitely until a legal hold is removed.
• S3 Object Lambda Add your own code to S3 GET,
LIST, and HEAD requests using AWS Lambda
functions to automatically process the output of a
standard S3 GET, LIST, or HEAD request
• AWS PrivateLink for S3 provides private
connectivity between Amazon S3 and on-premises
applications over AWS Direct Connect or AWS VPN.
Stateless Designs
Asynchronous Integration • Loose coupling between
workloads and AWS services
• One component (user
request) generates the
event
• Another component
(EC2 instance) processes
the event
• No direct point-to-point
interaction between
application services
 AWS Service Purpose Use case
Simple Notification Send notifications Email, text, or

Application Service (SNS) from AWS Lambda

Integration Step Functions Visual workflow of

AWS services
Order processing
workflow
Services to Simple Queue Messaging queue Distributed

Know
Service (SQS) (FIFO, Standard) applications

Amazon MQ Message broker Helps with

based on Apache migration from on
MQ premise message
brokers
Simple Queue Service

Managed message queue to

decouple communications
between distributed workload
components such as
applications and microservices.
SQS Message Processing

• Sender programs (SQS-

configured applications) send
messages into the queue.
• Receiver programs (SQS-
configured applications or
services) retrieve messages.
Simple Queue Service (SQS) • Messages can be stored in SQS
queues for up to 14 days; the
default is 4 days.
• SQS messages can contain up to
256 KB of text data, which can
include XML, JSON, and
unformatted text.
• Applications can push messages
into an SQS message queue and
trigger a Lambda function that
stores the message into another
storage service such as
DynamoDB
• SQS queues can be used with
applications hosted on EC2
instances, Elastic Container
Services, and AWS Lambda.
 • Standard queues: This default queue type has the best-effort
ordering of messages, and messages can be delivered at least
once.
• FIFO (first-in, first-out) queues: This queue type preserves the
order in which messages are sent and received, and each
message is delivered exactly once. FIFO queues should be used
SQS when the order of operations and events is important.
• Polling: Applications can receive messages from an SQS queue
Components using either the default short polling method or the long
polling method.
• Dead-letter queue (DLQ): Messages are stored in the DLQ
after the maximum number of processing attempts have not
been completed.
• Visibility timeout: During the processing of a message, there is
a period where each message being processed is not visible.
 •DynamoDB: You can use SQS to transfer messages to
DynamoDB by using a Lambda function.

•EC2 instances: You can scale an Auto Scaling group up when

messages in the SQS queue increase.

•ECS: A worker task executes a script that polls for SQS

messages and downloads and processes as necessary.

SQS Exam •RDS: A lightweight daemon connects to an SQS queue and

stores messages into an SQL database.
Concepts •S3: Changes to a bucket’s contents enable event
notifications to an SQS queue.
•Lambda function: SQS queues can be configured to trigger
a Lambda function. SQS message queues can receive
notifications from SNS that messages are available to be
processed.
 Before SQS: Tightly Coupled Design

Server – Account Check Server – Calculate Tax Server – Calculate Shipping

 With SQS
Acct OK Shipping Added
Queue Queue

Message

New Order

Check Acct Add Sales Tax

Queue Queue
Simple Notification
Service
• Push model
• Subscribe to topic
• Delivery mechanisms: HTTP /
HTTPS, SQS, SMS, Email
 •SNS provides push-based deliveries of messages.
•Messages are application-to-application or
application-to-person.
•Application-to-application message delivery
choices are HTTP/HTTPS via email, SQS queue
SNS Cheat endpoints, Kinesis Data Firehose, and AWS
Sheet Lambda.

•Application-to-person message delivery choices

are SMS, email, and push notifications.
•SNS supports event notifications and application
monitoring.
AWS Step
Function
Amazon
Cognito
Amazon Cognito • Amazon Cognito provides
authentication,
authorization, and user
management for web and
mobile applications hosted
at AWS with popular identity
provider (Facebook, and
Google)
• End users can sign into
applications without having
to create new credentials.
• End users sign in using either
a user pool or federated
identity provider.
 User Pool
• User pools provide sign-up and sign-in options for your
users, as well as user profile management and security
features such as multi-factor authentication and password
policies.
AWS Cognito • A member of a user pool can sign into a web application
with a username, phone number, or email address.
Authentication
Options Identity Pool
• Users can authenticate to a web or mobile app Security
Association Markup Language (SAML) provider such as
Active Directory Federation Services or OpenID Connect
(OIDC).
• After a successful user pool authentication, the user pool
tokens are forwarded to the AWS Cognito identity pool,
which provides temporary access to AWS services.
 Amazon Cognito
User Pool

e
nticat
Authe t token
1 and g
e

Exchange for
tokens for
App
2 AWS temp
credentials

Amazon Cognito
Identity Pool

Access AWS
services with
AWS temp
credentials 3

Amazon S3 Amazon DynamoDB

AWS Organizations
 • AWS Organizations allows
AWS Organizations control of a nested AWS
account tree.
• Member accounts can be
grouped into OU’s; each OU
can be attached to different
access policies.
• Users can only access what is
allowed by AWS Organizations
policies.
• Centralize IAM,
CloudFormation, CloudTrail,
CloudWatch, Config, Control
Tower, and the AWS Directory
Service and other AWS
services.
 AWS Organizations
Policy Policy Policy

Organizational
Control Policy

Organizational
Unit Dev Test Prod
OU OU OU

AWS Accounts

A1 A2 A3 A3

AWS Resources
 Service Control Policy (SCP)
• Filters that allow only the specified services and actions to be used in the AWS account where
the SCP has been assigned.
• SCP’s override attached IAM policies.

IAM policy allows full administrative permissions

SCP allows RDS full control

Result: The only access allowed is RDS full control

 AWS Service • This SCP denies all actions on
all resources, except for
Control Policy actions performed on Amazon
S3.
• This policy could be used in an
organization to restrict
member accounts to only
accessing Amazon S3, while
denying access to other AWS
services.
• The "Principal" field specifies
"*" which applies the policy to
all users, including root users
and AWS accounts created
within the organization.
•
•
{
"Version": "2012-10-17",
• "Statement": [
{
•
• "Sid": "DenyAllExceptS3Access",
• "Effect": "Deny",
• "Action": "*",
• "Resource": "*",
• "Condition": {
• "StringNotEquals": {
• "aws:ServiceName": "s3.*"
• }
• },
• "Principal": "*"
• }
• ]
• }
AWS Organizations and SCP

Identity-based policy

Effective
Organizations SCP Permissions
Sharing Resource with How can we share resources

Resource Access Manager

between different teams with
different AWS accounts?
• Example: Share a database hosted
on a subnet
• Use Resource Access Manager
to share resources between
AWS accounts
• Accept invitation to join
resource share
• Owner permissions – control all
VPC resources
• Participant permissions – control
any created resources on the
shared VPC subnet
• Many AWS services can be
shared with RAM.
AWS CloudTrail
 CloudTrail Operation

• All activity is recorded as a CloudTrail event

• Events are viewed through Event history

• Search, view and download the last 90 days of activity

AWS CloudTrail

• Records API and authentication activity on your AWS

account.
• Custom trails can be created which deliver log files to
S3 or CloudWatch logs.
• Trails can be enabled per region, or all regions.
• API history allows security analysis, resource change
tracking and auditing for compliance.
• CloudTrail is per AWS account or AWS Organization.
• Consolidate logs from multiple accounts using a
single S3 bucket.
 Creating a Custom Trail

Select a S3 bucket Select an S3 bucket Enable SNS Lambda

for storage or CloudWatch Log notifications Automation
Group
Amazon CloudWatch
Amazon CloudWatch
• Built-in monitoring service for AWS cloud resources
• Collect and track metrics
• Alarms / metrics
• Alerts / rules (Amazon EventBridge)
• Supports over 70 AWS Services
• Monitor your instance and application log files
• Set alarms on errors found in log files and react
to changes
• Set billing alarms
• Alarms have three states: OK, ALARM, INSUFFICIENT
DATA
 CloudWatch in Operation

Metrics / Events /
Alarms Rules
EC2 Logs

SMS
AWS
Config
Alarm SNS Lambda

API Calls Cloud CloudWatch

Trail Mobile
Authentication Push

VPC Flow
Logs
 • Monitor your system and applications using existing system,
application, and custom log files
• Can be used for real-time application and system
CloudWatch monitoring
• Log files are kept indefinitely
Logs • CloudTrail logs can be sent to CloudWatch logs for real-
time monitoring
• Metric filters can evaluate CloudTrail logs for specific
terms or values
 • Performance monitoring • Auditing
• Log events for AWS service • Log API activity for AWS
CloudWatch operations service activities

and • Logs stored forever

• Supports AWS Organization
• Logs stored to S3 or
CloudWatch forever
CloudTrail • Supports AWS
Organization
Compared
 • React to changes in data
Amazon EventBridge events in AWS services, AWS
applications, or SaaS
applications
• Global endpoints:
Destinations for an Amazon
EventBridge event can be
replicated across primary and
secondary regions for multi-
region deployments.
• SaaS integration: Respond to
events generated by well-
known SaaS applications,
including Shopify, Salesforce,
and Zendesk
• Targets: Targets can be a
single AWS account or
multiple accounts.
AWS Secrets Manager
AWS Secrets Manager
• Store, rotate, and manage
organizational secrets used
to access your applications,
services, and IT resources.
• Store and manage database
credentials and API keys.
• Secure secrets for SaaS
applications, SSH keys, RDS
databases, third-party
services, and on-premises
resources.
AWS Key Management Service
AWS Key Management
Service (KMS)
• Control the encryption of stored data across AWS
services.
• Centrally manage and store your customer master
keys (CMKs).
• CMKs can be generated using KMS, in an AWS
CloudHSM cluster, or imported.

• Unique data keys are used for each encryption

request.
• KMS stores multiple copies of encrypted versions
of your keys with 99.999999999% durability.
KMS Encryption

Application Load
Balancer Web App Amazon RDS

AWS WAF
Filtering rule

AWS Key Management

Service (AWS KMS)
AWS Security Services (KMS)
 • Data keys are encrypted by
using your Customer Master
key.
• Data keys are not retained by
KMS after use.
• Your encrypted data is stored
along with an encrypted copy
of the data key.
• When an AWS service needs
to decrypt your data, KMS
decrypts the data key using
your Customer master key.
• All requests to use your
master keys are logged in AWS

Data Keys CloudTrail.

 KMS Integration with CloudTrail

When were keys used? What data was accessed?

Where did the request

Who used the key?
originate?
 KMS Administrative Tasks

Control access to IAM Users Automatically rotate keys Re-enable disabled keys
and roles

Audit use of keys Temporarily disable keys Create keys with unique alias
AWS GuardDuty
 Continual Analysis of Important Stuff

CloudTrail CloudTrail APIs VPC Flow Logs DNS Logs and S3 Bucket access
requests
GuardDuty Integration

Monitor Analysis Notify

Simple Notification Service

GuardDuty
Malicious reconnaissance
• Unusual API calls
• Suspicious outbound communication
• IAM User Account compromise
• EC2 instance compromise
 AWS
CloudFormation
 AWS CloudFormation
• CloudFormation is an orchestration engine that
works with JSON and YAML templates to deploy
AWS resources.
• Each CloudFormation template declares the
desired infrastructure stack to be created.
• The CF engine automatically deploys and links
the resources together.
• CloudFormation works with templates, stacks,
and change sets.
• Each template can deploy, or update a multiple
AWS resource, or a single resource such as a VPC
or an EC2 instance.
Benefits of
CloudFormation
• Saving Time - Every
CloudFormation takes less time
than the manual process.
• Security - Templates execute the
same steps every time.
• Documentation - CloudFormation
templates are readable and self-
documenting.
• Repeatability - Deploy and
redeploy the listed AWS
resources in multiple
environments.
CloudFormation Stacks

• Network stack: Define a baseline template for

developers to ensure that their VPC network setup
matches company policy.
• Web infrastructure: Deploy Internet gateways,
associated route table entries, or load balancers into
existing AWS network infrastructure.
• Database infrastructure: Create standby database
infrastructure, including subnet groups and associated
security groups.
• Application stack: Rebuild a complete application stack
with required network and infrastructure components.
• Managed service: Automate the setup of any AWS
managed services; for example, AWS Config or Inspector
could be enabled and set up using a CloudFormation
template.
Change Sets
• When a deployed CloudFormation resource
stack needs to be updated, change sets allow
you to preview how your existing AWS
resources will be modified.
• Select an original CloudFormation template to
edit, the changes to be made are added.
• Your requested changes are analyzed against
the existing CloudFormation stack, producing
a change set that you can then review and
approve the changes for or cancel.
• Once a change set is created, reviewed, and
approved, CloudFormation updates your
current resource stack.
Change Sets
Create View / Execute
Change Change Change
Set Set Set

Original Change Change

Stack Set Set
AWS Service Catalog
Service Catalog
• Service Catalog is composed of portfolios
which are a collection of one or more CF built
products.
• When an approved product is selected,
Service Catalog delivers the Confirmation
template to CloudFormation, which then
executes the template creating the product.
• Service Catalog allows you to manage the
distribution of CloudFormation templates as a
product list to an AWS account or an AWS
Organization.
Service Catalog

• IAM roles can be used to limit the level

of administrative access to the
resources deployed by the product
• Rules can also be defined, which allow
you to control which AWS account and
region the product can launch
• Each deployed product can also be
listed by version number
AWS Config
AWS Config provides details
on how your AWS resources
are currently configured
AWS Config rules can mandate your
desired configuration settings for the
evaluated AWS resources
 • Records changes and current
status to resource inventory.
• Notify when resources are
created, modified, or deleted.
• Configuration items track
resource attributes and the
relationships, current
configuration, and related events.
• Custom Config rules for
remediation.
• Config can also capture:
• Software inventory on EC2
instances
• Patch levels
• Application versions
AWS Config
 Configuration Triggers

One or more resources A resource type and a resource ID

A resource is created, updated, or

A tag and a specific value
deleted
 Compliance Benefits

Get notified when resources are Use historical data for auditing and
created or modified compliance

Troubleshoot configuration changes Perform security analysis

Custom Config Rules

• Config uses Lambda for rule evaluation

• Lambda functions must first be created

• Associate the Lambda function with a custom Config rule

Trusted Advisor
Trusted Advisor Benefits

$
Cost
Performance Security Fault Tolerance Service Limits
Optimization
AWS Certificate Manager
 • Provision, manage, and deploy public
and private SSL / TLS certificates used
AWS Certificate Manager with AWS services and AWS-hosted
websites and applications.
• Certificates can be deployed on ELB
load balancers, Amazon CloudFront
distributions, AWS Elastic Beanstalk,
and APIs hosted on Amazon API
Gateway.
• Public certificates: ELB port 443 traffic,
CloudFront distributions, and public-
facing APIs hosted by Amazon API
Gateway all use public certificates.
• Private certificates: Delegated private
certificates are managed by a AWS
Certificate Manager hosted private CA .
• Imported certificates: Third-party
certificates can be imported into AWS
Certificate Manager.
Amazon Macie
Key Features of Amazon Macie
• Automated security classification of data access patterns
• Monitor data usage for anomalies
• Proactive data loss through data visibility
• Custom report and alert management
 Discover and Classify S3 Data

Assign business value Create security alerts Custom policies

Monitor data Understand data patterns Track account activity

 Classifying Data Types

General Protection Personally Personal Health Payment Card

Data Regulation Identifiable Information Industry
(GDPR) Information (PHI) (PCI)
(PII)
 Data Classification Types

Router DSA private Mailing address Application Encryption

CVE config key logs keys

Full name
Source
Encrypted RSA private key Swift codes Email
code
Credit card
numbers

AWS_ secret_key Drivers license JSON Financial

IDs

Regex
Amazon Macie Assigns Risk

Content File Assigned

Theme
type extension Risk
 Amazon Macie Basic Alerts
Service
disruption
Data Open
compliance permissions
• Basic alerts are automatically generated
by Macie security checks Configuration Identity
compliance enumeration
• Managed basic alerts can be enabled Basic Alert
Categories
• Custom basic alerts for exact conditions
Suspicious Privilege
access escalation

Credential Location
loss anomaly
What We Covered: • Serverless Computing
• Stateless Designs
• AWS Organizations
• CloudWatch and CloudTrail
• Key Management Service
• AWS Secrets Manager
• AWS Cognito
• AWS Trusted Advisor
• AWS Config
• AWS Macie
• AWS CloudFormation / Service
Catalog
Question 1
A bug seems to have been introduced to the latest Lambda function. You would
like to review the function logs to see what is going wrong. Where are the function
logs stored?

A: AWS S3
B: CloudTrail
C: CloudWatch logs
D: Syslog
Answer
A bug seems to have been introduced to the latest Lambda function. You would
like to review the function logs to see what is going wrong. Where are the function
logs stored?
A: AWS S3
B: CloudTrail
C: CloudWatch logs
D: Syslog
Question 2
What are the services available to assist in data encryption? Choose two answers.

A. Use the Key Management Service default master key.

B. Deploy Cloud HSM, and then store the top-level encryption keys.
C. Enable encryption on the EBS volumes of the clusters.
D. Use SSL/TLS for encrypting the data at rest.
Answer
What are the services available to assist in data encryption? Choose two answers.

A. Use the Key Management Service default master key.

B. Deploy Cloud HSM, and then store the top-level encryption keys.
C. Enable encryption on the EBS volumes of the clusters.
D. Use SSL/TLS for encrypting the data at rest.
Question 3
How can API activity be monitored for all AWS regions?

A. API activity cannot be monitored for all AWS regions, just the region that was
initially selected.
B. Create a custom CloudTrail trail and accept the default settings.
C. Create a custom trail for a single AWS region. Use CloudFormation to enable the
custom trail for regions as they are added.
D. Create a custom CloudTrail for each AWS region. Use AWS Config to check for
new AWS regions.
Answer
How can API activity be monitored for all AWS regions?

A. API activity cannot be monitored for all AWS regions, just the region that was
initially selected.
B. Create a custom CloudTrail trail and accept the default settings.
C. Create a custom trail for a single AWS region. Use CloudFormation to enable the
custom trail for regions as they are added.
D. Create a custom CloudTrail for each AWS region. Use AWS Config to check for
new AWS regions.
Question 4
A production application hosted on EC2 instances needs to be monitored for
performance using the CloudWatch metric CPU utilization. When the defined
threshold has been breached, what is the next step that should happen?

A. The CloudWatch agent should be installed and configured for monitoring.

B. A CloudWatch alarm should alert the notification service when the threshold is
breached.
C. AWS Lambda should respond when the threshold is breached.
D. The SQS service should trigger a response when the threshold is breached.
Answer
A production application hosted on EC2 instances needs to be monitored for
performance using the CloudWatch metric CPU utilization. When the defined
threshold has been breached, what is the next step that should happen?

A. The CloudWatch agent should be installed and configured for monitoring.

B. A CloudWatch alarm should alert the notification service when the threshold is
breached.
C. AWS Lambda should respond when the threshold is breached.
D. The SQS service should trigger a response when the threshold is breached.
Question 5
Your company is having trouble keeping track of suspicious network traffic and
DNS records.
Protection of API activity for S3 buckets is also becoming a necessity.
What AWS managed service should be selected to perform the required
monitoring?
A: AWS Inspector
B: AWS Macie
C: Amazon GuardDuty
D: VPC flow logs
Answer
Your company is having trouble keeping track of suspicious network traffic and
DNS records.
Protection of API activity for S3 buckets is also becoming a necessity.
What AWS managed service should be selected to perform the required
monitoring?
A: AWS Inspector
B: AWS Macie
C: Amazon GuardDuty
D: VPC flow logs
Question 6
An on-premises application uploads files that are 5 GB in size to the AWS cloud.
Each file requires scanning after upload to check for compliance standards for cloud storage data.
Each file takes several seconds to upload, and the schedule for uploads is not consistent.
What storage process should be used to satisfy this application and its needs?
A. Store files in an SQS queue for further processing by a fleet of EC2 instances.
B. Use S3 buckets using event notifications to invoke a Lambda function to review for compliance.
C. Store files in EBS storage.
D. Store files in a DynamoDB table with triggers to call a Lambda function to review for compliance.
Answer
An on-premises application uploads files that are 5 GB in size to the AWS cloud.
Each file requires scanning after upload to check for compliance standards for cloud storage data.
Each file takes several seconds to upload, and the schedule for uploads is not consistent.
What storage process should be used to satisfy this application and its needs?

A. Store files in an SQS queue for further processing by a fleet of EC2 instances.
B. Use S3 buckets using event notifications to invoke a Lambda function to review for compliance.
C. Store files in EBS storage.
D. Store files in a DynamoDB table with triggers to call a Lambda function to review for compliance.
Question 7
Which of the following AWS services offers automated deployment of other AWS
services?

A. AWS CodeDeploy
B. AWS CodeBuild
C. AWS Elastic Beanstalk
D. AWS CloudFormation
Answer
Which of the following AWS services offers automated deployment of other AWS
services?

A. AWS CodeDeploy
B. AWS CodeBuild
C. AWS Elastic Beanstalk
D. AWS CloudFormation
 You are deploying a public-facing application load balancer that is
going to receive incoming Internet traffic on port 443. What AWS
service should be used to host your security certificates?

A. AWS Key Management Service

Question 8 B. AWS Certificate Manager

C. AWS Secrets

D. Cloud HSM
 You are deploying a public-facing application load balancer that
is going to receive incoming Internet traffic on port 443. What
AWS service should be used to host your security certificates?

A. AWS Key Management Service

B. AWS Certificate Manager

Answer
C. AWS Secrets

D. Cloud HSM
Question 9
Two years ago, the graphics department moved its operations to AWS. Last year application
development was moved to AWS. The accounting department is now moving to AWS. Compliance
requirements dictate that each department must use its own AWS account.
How can the charges for the AWS services used for each AWS account be consolidated into one
bill?

A. Use resource groups to group AWS resources.

B. Use AWS Control Tower.
C. Deploy AWS Organizations.
D. Use tags and Cost Explorer to create custom bills for each AWS account.
Answer
Two years ago, the graphics department moved its operations to AWS. Last year application
development was moved to AWS. The accounting department is now moving to AWS. Compliance
requirements dictate that each department must use its own AWS account.
How can the charges for the AWS services used for each AWS account be consolidated into one
bill?

A. Use resource groups to group AWS resources.

B. Use AWS Control Tower.
C. Deploy AWS Organizations.
D. Use tags and Cost Explorer to create custom bills for each AWS account.
Question 10
Your company has deployed AWS Organizations to manage the multiple AWS accounts currently
being used. You want to share specific database resources deployed in subnets for test and dev
environments for multiple AWS accounts. What utility can help you achieve this goal?

A. Use AWS Control Tower to control access to resources for all new administrative accounts.
B. Create IAM policies defining developers with the ability to create subnets and resources on
subnets. Assign security policies to the associated development IAM groups.
C. Use AWS Resource Access Manager to share subnet resources with other member accounts.
D. Create a service control policy and assign it to the master account in the AWS Organization tree.
Answer
Your company has deployed AWS Organizations to manage the multiple AWS accounts currently
being used. You want to share specific database resources deployed in subnets for test and dev
environments for multiple AWS accounts. What utility can help you achieve this goal?

A. Use AWS Control Tower to control access to resources for all new administrative accounts.
B. Create IAM policies defining developers with the ability to create subnets and resources on
subnets. Assign security policies to the associated development IAM groups.
C. Use AWS Resource Access Manager to share subnet resources with other member accounts.
D. Create a service control policy and assign it to the master account in the AWS Organization tree.