Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.3.1. Sample Questions - Domain 1: Design for Organizational Complexity

Question 1:

A large enterprise with multiple business units is adopting AWS. Each business unit requires its own isolated environment for development, testing, and production, with centralized billing and the ability to apply preventive security controls across all accounts. Which AWS service combination is the MOST appropriate for designing this multi-account strategy?

A) "AWS IAM Identity Center" and "IAM Users" B) "AWS Organizations" and "Service Control Policies (SCPs)" C) "AWS CloudFormation StackSets" and "AWS Resource Access Manager (RAM)" D) "AWS Control Tower" and "AWS Systems Manager"

Correct Answer: B
Explanation:
  • A) "AWS IAM Identity Center" and "IAM Users": "IAM Identity Center (SSO)" centralizes user access, and "IAM Users" are individual identities. While important for user management, they do not provide centralized billing or apply preventive security controls across multiple accounts at an organizational level.
  • B) "AWS Organizations" and "Service Control Policies (SCPs)": "AWS Organizations" provides centralized management and consolidated billing for multiple AWS accounts. "Service Control Policies (SCPs)" within "Organizations" allow you to centrally control the maximum available permissions for all "IAM users" and roles in member accounts, acting as preventative security guardrails. This directly addresses centralized billing and preventive security controls across the entire organization. This aligns with the First Principle of Centralized Governance and Preventive Security Controls at scale.
  • C) "AWS CloudFormation StackSets" and "AWS Resource Access Manager (RAM)": "CloudFormation StackSets" deploy resources consistently across accounts/regions, and "RAM" shares resources between accounts. These are tools for resource management and sharing, not for centralized billing or organizational-level preventive security policies for "IAM" entities.
  • D) "AWS Control Tower" and "AWS Systems Manager": "Control Tower" sets up a well-architected multi-account landing zone with guardrails, and "Systems Manager" provides operational management. While "Control Tower" builds upon "Organizations" and provides guardrails, "AWS Organizations" itself is the fundamental service for the multi-account structure and "SCPs" are the mechanism for the preventive controls across accounts. "Systems Manager" is for instance management, not organizational structure.
Question 2:

An architect needs to design a network solution to connect 50+ "VPCs" in a hub-and-spoke topology, enabling transitive routing between spoke "VPCs" via a central hub, and supporting future growth to hundreds of "VPCs". The solution must minimize complexity and operational overhead. Which AWS service is the MOST suitable for this requirement?

A) "VPC Peering" B) "AWS Transit Gateway" C) "AWS Direct Connect" D) "AWS Client VPN"

Correct Answer: B
Explanation:
  • A) "VPC Peering": "VPC Peering" connects two "VPCs" directly and is NOT transitive. For 50+ "VPCs", it would create an unmanageable mesh of (N*(N-1))/2 connections (1225 peerings for 50 VPCs) and does not inherently support transitive routing. It violates the First Principle of Scalable Network Design and Minimizing Complexity.
  • B) "AWS Transit Gateway": "AWS Transit Gateway (TGW)" acts as a central network hub that connects "VPCs" and on-premises networks. It supports transitive routing, simplifying the network architecture by eliminating the need for numerous individual peering connections and providing a scalable solution for hundreds or thousands of "VPCs". This directly addresses the requirements for a hub-and-spoke topology, transitive routing, scalability, and minimizing operational overhead. This aligns with the First Principle of Centralized, Scalable Network Connectivity.
  • C) "AWS Direct Connect": "Direct Connect" provides a dedicated network connection between an on-premises data center and AWS. It's for hybrid cloud connectivity, not for inter-"VPC" connectivity within AWS.
  • D) "AWS Client VPN": "Client VPN" allows remote users to securely access AWS resources via a "VPN" connection. It's for remote access, not for connecting "VPCs" to each other.
Question 3:

A development team within a large organization requires administrative permissions within their own AWS account but must be prevented from performing certain high-risk actions, such as creating new "IAM users" or deleting critical network resources (e.g., "VPCs") in their account. A central security team manages the overall AWS Organization. Which AWS IAM feature should the central security team implement to enforce these maximum permissions?

A) "IAM Users" B) "IAM Groups" C) "IAM Roles" D) "IAM Permissions Boundaries"

Correct Answer: D
Explanation:
  • A) "IAM Users": "IAM Users" are individual identities. While they can be assigned policies, they do not provide a mechanism to set maximum permissions for other users/roles within an account.
  • B) "IAM Groups": "IAM Groups" are collections of users to simplify permission management. They do not set maximum permissions for other "IAM" entities.
  • C) "IAM Roles": "IAM Roles" grant temporary permissions to entities. While roles are crucial for access management, they define what an entity can do when assuming the role, not what the maximum permissions that can be granted to any entity within an account are.
  • D) "IAM Permissions Boundaries": An "IAM Permissions Boundary" is an advanced feature that allows the central security team to set the maximum permissions that an identity-based policy can grant to an "IAM user" or role. It acts as a filter, preventing the delegated team from escalating privileges beyond the defined boundary, even if they create their own "IAM policies". This directly addresses the need to allow administrative permissions while preventing specific high-risk actions. This aligns with the First Principle of Controlled Autonomy and Enforced Guardrails for permission management.
    • Note: "Service Control Policies (SCPs)" could also prevent these actions at the organizational level, but the question specifically asks about enforcing maximum permissions within an account by a central security team delegating to a dev team, which is precisely the use case for "Permissions Boundaries".
Question 4:

A company requires a secure, auditable, and self-service mechanism for its development teams to provision standardized AWS infrastructure components (e.g., specific "VPC" configurations, approved "EC2" instance types with pre-defined security settings). The central IT governance team needs to approve and control which components are available. Which AWS service is best suited for this requirement?

A) "AWS CloudFormation" B) "AWS Service Catalog" C) "AWS Systems Manager" D) "AWS Organizations"

Correct Answer: B
Explanation:
  • A) "AWS CloudFormation": "CloudFormation" is the underlying "IaC" tool used to define resources. While it defines the standardized components, it doesn't provide a self-service catalog or governance for approved products.
  • B) "AWS Service Catalog": "AWS Service Catalog" allows organizations to create and manage a catalog of IT services approved for use on AWS. It enables self-service provisioning for end-users (development teams) while ensuring adherence to governance, security, and compliance standards by providing pre-approved and configured products. This directly addresses the need for a secure, auditable, and self-service mechanism with central governance. This aligns with the First Principle of Controlled Self-Service and Standardized Provisioning.
  • C) "AWS Systems Manager": "Systems Manager" provides operational insights and automation for AWS resources. While it can automate tasks, it's not a service for managing a catalog of approved IT products for self-service provisioning.
  • D) "AWS Organizations": "AWS Organizations" helps manage multiple AWS accounts for consolidated billing and policy enforcement. While it's part of the broader governance strategy, it doesn't provide the self-service catalog aspect described.
Question 5:

An enterprise needs to track and allocate AWS costs to specific departments and projects. They require a mechanism that allows them to categorize their resources and view detailed cost breakdowns in their billing reports. Which AWS feature should be implemented to achieve this?

A) "AWS Budgets" B) "AWS Cost Explorer" C) "Cost Allocation Tags" D) "Reserved Instances (RIs)"

Correct Answer: C
Explanation:
  • A) "AWS Budgets": "AWS Budgets" allows you to set custom budgets and receive alerts. It's for cost control and monitoring against thresholds, not for categorizing resources or allocating costs to departments/projects.
  • B) "AWS Cost Explorer": "AWS Cost Explorer" allows you to visualize, understand, and manage your AWS costs and usage over time. It provides analysis capabilities, but the underlying data for allocation (like by department or project) comes from tags. It's an analysis tool, not the mechanism for categorization.
  • C) "Cost Allocation Tags": "Cost Allocation Tags" are labels that you apply to AWS resources to categorize them for cost tracking. When activated in the "Billing Console", these tags appear as columns in your "Cost and Usage Report (CUR)" and can be used in "Cost Explorer" to filter and analyze costs by department, project, environment, or any other defined category. This directly addresses the need to track and allocate costs to specific entities. This aligns with the First Principle of Granular Cost Visibility and Accountability.
  • D) "Reserved Instances (RIs)": "RIs" offer a significant discount on "EC2" usage (and other services). They are a cost optimization strategy, not a feature for cost allocation or categorization of resources.