nerdexam
ExamsSAP-C02Questions#377
AmazonAmazon

SAP-C02 · Question #377

SAP-C02 Question #377: Real Exam Question with Answer & Explanation

The correct answer is A: Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite. To establish a multi-account AWS environment with centralized access, private network connectivity, MFA, and group-based roles, the architect should deploy AWS Control Tower, create Transit Gateways for inter-account private networking, and enable AWS IAM Identity Center.

Submitted by eva_at· Mar 6, 2026Design Solutions for Organizational Complexity

Question

A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups. The company must create separate accounts for development, staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts. The development account and the staging account must have access only to each other. Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)

Options

  • ADeploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite
  • BEnable AWS Security Hub in all accounts to manage cross-account access. Collect findings
  • CCreate transit gateways and transit gateway VPC attachments in each account. Configure
  • DSet up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate
  • EEnable AWS Control Tower in all Recounts to manage routing between accounts. Collect findings
  • FCreate IAM users and groups. Configure MFA for all users. Set up Amazon Cognito user pools

Explanation

To establish a multi-account AWS environment with centralized access, private network connectivity, MFA, and group-based roles, the architect should deploy AWS Control Tower, create Transit Gateways for inter-account private networking, and enable AWS IAM Identity Center.

Common mistakes.

  • B. AWS Security Hub is a security posture management service for collecting and analyzing security findings, not for managing cross-account access or network routing.
  • E. AWS Control Tower focuses on governance and account provisioning within an organization, not on managing network routing between accounts, which is the function of services like Transit Gateway.
  • F. While IAM users/groups and MFA are important, for a multi-account setup with centralized access and lower operational overhead, AWS IAM Identity Center is the superior solution compared to individual IAM users in each account, and Amazon Cognito is typically for external users, not internal workforce.

Concept tested. Multi-account strategy, centralized identity, private networking

Reference. https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions