nerdexam
ExamsSAP-C02Questions#512
AmazonAmazon

SAP-C02 · Question #512

SAP-C02 Question #512: Real Exam Question with Answer & Explanation

The correct answer is B: Create a new account to serve as a management account. Deploy an organization in AWS. To consolidate billing and enforce region restrictions, an AWS Organization should be deployed with a management account, an SCP denying resource creation outside US regions, and a role in the management account granting finance teams access to consolidated billing data.

Submitted by amina.ke· Mar 6, 2026Design Solutions for Organizational Complexity

Question

A company has five development teams that have each created five AWS accounts to develop and host applications. To track spending, the development teams log in to each account every month, record the current cost from the AWS Billing and Cost Management console, and provide the information to the company's finance team. The company has strict compliance requirements and needs to ensure that resources are created only in AWS Regions in the United States. However, some resources have been created in other Regions. A solutions architect needs to implement a solution that gives the finance team the ability to track and consolidate expenditures for all the accounts. The solution also must ensure that the company can create resources only in Regions in the United States. Which combination of steps will meet these requirements in the MOST operationally efficient way? (Choose three.)

Options

  • ACreate a new account to serve as a management account. Create an Amazon S3 bucket for the
  • BCreate a new account to serve as a management account. Deploy an organization in AWS
  • CCreate an OU that includes all the development teams. Create an SCP that allows the creation of
  • DCreate an OU that includes all the development teams. Create an SCP that denies the creation of
  • ECreate an IAM role in the management account. Attach a policy that includes permissions to view
  • FCreate an IAM role in each AWS account. Attach a policy that includes permissions to view the

Explanation

To consolidate billing and enforce region restrictions, an AWS Organization should be deployed with a management account, an SCP denying resource creation outside US regions, and a role in the management account granting finance teams access to consolidated billing data.

Common mistakes.

  • A. While a management account is necessary, creating an S3 bucket for CloudTrail logs addresses auditing, not consolidated billing or region restriction enforcement.
  • C. An SCP that allows resource creation only in US regions is less robust than a 'deny' policy, as it might inadvertently allow other regions if not perfectly structured or if default permissions change.
  • F. Creating separate IAM roles in each of the 25 AWS accounts for the finance team defeats the purpose of consolidating expenditures and centralized management.

Concept tested. AWS Organizations, Consolidated Billing, Service Control Policies (SCPs), Centralized Access

Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions