You must isolate PCI workloads while sharing baseline services (logging, directory, DNS) with non-PCI apps. Which design is strongest?
Explanation
Separate accounts enforce blast radius and clearer guardrails; SCPs plus shared services (logging, DNS) accounts keep boundaries explicit.
A data lake needs encryption at rest, key rotation, and least privilege for analytics jobs. Which KMS strategy aligns best?
Explanation
Customer managed CMKs with rotation and scoped IAM provide granular access control and auditable key use for regulated workloads.
You need workload identities to access AWS APIs without long-lived keys from an external OIDC provider. Best option?
Explanation
Setting an IAM OIDC identity provider and assuming roles removes static keys and uses short-lived credentials tied to external identities.