A company wants to isolate its workloads by creating an AWS account for each workload. The company needs a solution that centrally manages networking components for the workloads. The solution also must create accounts with automatic security controls (guardrails).
Which solution will meet these requirements with the LEAST operational overhead?
AWS Control Tower is designed to simplify the process of setting up and governing a secure and compliant multi-account AWS environment, which aligns with the requirement for automatic security controls or guardrails. Additionally, it provides a centralized approach to managing networking components with AWS Resource Access Manager (AWS RAM) to share subnets with workload accounts. This combination minimizes operational overhead, making it the optimal solution for the company's needs.
It's a hard one. I'd go for B Several accounts in an org, with central mgmt > AWS Organization Sharing resources among accounts > AWS RAM AWS Organizations and RAM typically work well together... Happy to be challenged, of course.
Although automatic security control could be a hint for AWS Control Tower (set up and operate your multi-account AWS environment with prescriptive controls)
Statement: - The solution also must create accounts with automatic security controls (guardrails). https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html AWS Control Tower provides a pre-packaged set of guardrails (policies) and blueprints (best-practice configurations) to ensure that the environment complies with security and compliance standards. It’s designed to simplify the process of creating and managing a multi-account AWS environment while maintaining security and compliance.
Taking into consideration that AWS Control Tower is Orchestrator for AWS Organization which applies guardrails, I think A is a good choose. https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
It leverages AWS Control Tower for automated account deployment and management, along with AWS RAM for centralized networking management, thus minimizing operational overhead while meeting the company's requirements for workload isolation and automatic security controls.
Please explain why the answer is option A
I prefer B which is free. A may cause fee for sevice used while I am not sure about it.
Anser is A, Control Tower has guardrails AWS Audit Manager provides an AWS Control Tower Guardrails framework to assist you with your audit preparation.
answer is A
A. Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.