What is a recommended pattern for sharing services (like identity and logging) across accounts while maintaining strong isolation?

• A. Create dedicated shared services accounts and connect them via VPC endpoints or Transit Gateway, with controlled access via IAM roles and resource policies
• B. Create a single master account that houses all services
• C. Allow direct access by granting full administrative rights to every account
• D. Deploy shared services in each account independently

Answer: (C)

Sharing services across multiple AWS accounts while keeping strong isolation is best achieved by hosting those services in a dedicated Shared Services account and connecting the consumer accounts to that hub in a controlled way. Put identity services and logging infrastructure in this central account, then enable access from the other accounts through a hub-and-spoke network pattern. Use mechanisms like VPC endpoints, PrivateLink, or a Transit Gateway to privately reach the shared services without opening broad network access. Access should be granted via tightly scoped IAM roles and resource policies, following least privilege and cross-account trust, so each account can assume just the permissions needed to use the shared services. This setup provides centralized governance and consistent policy application, easy auditing, and a clear separation of responsibility, while still enabling efficient sharing of identity and logging.

In contrast, putting all services in a single master account concentrates risk and makes policy enforcement harder and less scalable; granting full administrative rights across every account defeats isolation and increases the blast radius; deploying shared services separately in every account leads to duplication, inconsistency, and higher maintenance overhead.