While preparing for the AWS SAP-C02, many candidates get confused by multi-account cost visibility and the role of AWS Organizations in FinOps. In the real world, this is fundamentally a decision about centralized governance vs. operational autonomy and data consistency vs. implementation complexity. Let’s drill into a simulated scenario.
The Scenario #
GlobalTech Industries operates a decentralized cloud infrastructure where each of its 15 engineering divisions (Platform, Data, ML, Security, etc.) manages its own cloud resources. The company has implemented AWS Organizations with a dedicated Organizational Unit (OU) for each division. Each OU contains between 5 to 30 AWS accounts, resulting in a total of over 400 AWS accounts across the organization.
The CFO and FinOps team have mandated that each engineering division must have visibility into the cost breakdown of all AWS accounts within their OU, enabling divisional leaders to track spending, identify cost anomalies, and enforce budget controls. The solution must support self-service access to cost data without requiring manual report generation or cross-account IAM complexity.
Key Requirements #
Design a scalable, maintainable solution that enables OU-level cost visibility across hundreds of AWS accounts, minimizing operational overhead while ensuring data accuracy and timeliness.
The Options: #
- A) Use AWS Resource Access Manager (RAM) to create an AWS Cost and Usage Report (CUR) for each OU; allow each team to visualize CUR data through Amazon QuickSight dashboards.
- B) Create a single AWS Cost and Usage Report (CUR) from the AWS Organizations management account; allow each team to visualize OU-filtered CUR data through Amazon QuickSight dashboards.
- C) Create an AWS Cost and Usage Report (CUR) in every member account within AWS Organizations; allow each team to aggregate and visualize CUR data through Amazon QuickSight dashboards.
- D) Use AWS Systems Manager to create an AWS Cost and Usage Report (CUR); allow each team to visualize CUR data through Systems Manager OpsCenter dashboards.
Correct Answer #
Option B – Create a single AWS Cost and Usage Report (CUR) from the AWS Organizations management account; allow each team to visualize OU-filtered CUR data through Amazon QuickSight dashboards.
Step-by-Step Winning Logic #
This solution aligns with AWS’s centralized billing and cost management architecture:
-
CUR Centralization: AWS Cost and Usage Reports can only be enabled from the management account (or a delegated administrator for billing). This single CUR automatically includes granular usage data from all member accounts, tagged with organizational hierarchy (OU, account ID, tags).
-
Data Completeness: A single CUR ensures consistency—no data drift, no missing accounts, no synchronization issues across 400+ accounts.
-
Scalability: As new accounts are added to OUs, they are automatically included in the CUR without any configuration changes.
-
FinOps Enablement: Amazon QuickSight can connect to the CUR (stored in S3), and row-level security (RLS) or dataset filters can restrict each team’s dashboard to show only their OU’s accounts. This decentralizes access while centralizing data governance.
-
Cost Efficiency: One CUR delivery to S3 (typically <$50/month even for large orgs) + QuickSight dashboards (starting at $9/user/month for readers) is far cheaper than managing hundreds of individual reports or custom aggregation pipelines.
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
-
Why not A (AWS RAM for CUR per OU)?
- Fatal Flaw: AWS Resource Access Manager (RAM) is designed for sharing resources like subnets, Transit Gateways, or License Manager configurations—not for creating or sharing Cost and Usage Reports. CUR creation is a billing feature, not a shareable resource. This option is technically nonsensical and would fail immediately.
-
Why not C (CUR in every member account)?
- Operational Nightmare: Creating a CUR in each of 400+ accounts would require:
- 400+ S3 buckets (or complex bucket policies)
- 400+ CUR configurations to manage and maintain
- Custom ETL pipelines to aggregate data across accounts
- Continuous risk of configuration drift and missing accounts
- Data Inconsistency: Member account CURs don’t include cross-account discounts (Reserved Instances, Savings Plans, EDPs), leading to inaccurate cost attribution.
- Cost: Storage and processing costs multiply by account count.
- Operational Nightmare: Creating a CUR in each of 400+ accounts would require:
-
Why not D (AWS Systems Manager for CUR)?
- Wrong Service: AWS Systems Manager is for operational management (patching, configuration, automation)—it has no capability to generate or store Cost and Usage Reports. Systems Manager OpsCenter is for incident management, not cost analytics. This is a red herring that tests whether you understand service boundaries.
The Architect Blueprint #
graph TD
MgmtAcct[AWS Organizations
Management Account] -->|Enables CUR| CUR[Cost and Usage Report
Parquet/CSV]
CUR -->|Delivered Hourly| S3[S3 Bucket
Centralized CUR Storage]
S3 -->|Integrated via| Athena[Amazon Athena
Query CUR Data]
S3 -->|Integrated via| QuickSight[Amazon QuickSight
BI Dashboards]
QuickSight -->|RLS Filter: OU=Platform| Dashboard1[Platform Team Dashboard]
QuickSight -->|RLS Filter: OU=Data| Dashboard2[Data Team Dashboard]
QuickSight -->|RLS Filter: OU=ML| Dashboard3[ML Team Dashboard]
OU1[OU: Platform
Accounts 001-030] -.->|Usage Data| MgmtAcct
OU2[OU: Data
Accounts 031-080] -.->|Usage Data| MgmtAcct
OU3[OU: ML
Accounts 081-130] -.->|Usage Data| MgmtAcct
style MgmtAcct fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
style CUR fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style S3 fill:#569A31,stroke:#232F3E,stroke-width:2px,color:#fff
style QuickSight fill:#E86211,stroke:#232F3E,stroke-width:2px,color:#fff
Diagram Note: The management account enables a single CUR that aggregates all member account usage, stores it in S3, and feeds QuickSight dashboards with row-level security to provide OU-specific cost views to each engineering team.
The Decision Matrix #
| Option | Implementation Complexity | Est. Monthly Cost (400 accounts) | Pros | Cons |
|---|---|---|---|---|
| A (RAM + CUR per OU) | Impossible | N/A | None—this is architecturally invalid | AWS RAM cannot create or share CUR; fundamentally incorrect service choice |
| B (Single CUR from Mgmt Account) ⭐ | Low | $50 (CUR) + $200 (QuickSight for 20 readers) = ~$250/mo | • Single source of truth • Auto-includes new accounts • Native OU/tag support • Minimal operational overhead |
Requires QuickSight RLS setup for multi-tenancy (one-time config) |
| C (CUR in every member account) | Extreme | $20,000+ (400 S3 buckets + 400 CUR deliveries + ETL pipelines) | Theoretically possible (but inadvisable) | • 400+ configurations to manage • No consolidated discount visibility • Data drift risk • Prohibitive cost and complexity |
| D (Systems Manager for CUR) | Impossible | N/A | None—this is architecturally invalid | Systems Manager has no CUR generation capability; wrong service domain |
FinOps Insight: Option B delivers 99% cost reduction vs. Option C while providing superior data quality and operational simplicity. The $250/month investment enables self-service cost visibility for 15 divisions, unlocking accountability and chargeback capabilities.
Real-World Practitioner Insight #
Exam Rule #
For the AWS SAP-C02 exam, when you see:
- “Multi-account cost visibility in AWS Organizations”
- “Hundreds of accounts organized by OU”
- “Cost breakdown by organizational unit”
Always choose the centralized CUR from the management account + QuickSight with filters/RLS. AWS deliberately designs billing to be centralized for consistency and discount application.
Real World #
In production environments at GlobalTech Industries, we would enhance this baseline solution with:
-
Cost Allocation Tags: Enforce mandatory tags (Environment, CostCenter, Project) via AWS Organizations SCPs to enable granular cost attribution beyond just OU structure.
-
Athena Views: Create pre-filtered Athena views per OU to simplify QuickSight dataset creation and improve query performance.
-
Automation: Use AWS Glue crawlers to automatically update CUR schema changes and maintain QuickSight datasets.
-
Alerting: Integrate AWS Budgets with SNS to send alerts to OU owners when spending exceeds thresholds.
-
Reserved Instance/Savings Plan Allocation: Configure RI/SP sharing preferences at the OU level to ensure accurate cost attribution of shared discounts.
-
Chargeback Workflow: Export QuickSight data to finance systems for automated chargeback/showback to divisional P&Ls.
The exam simplifies this to test your understanding of CUR’s architectural constraint (management account only) and QuickSight’s filtering capability (RLS for multi-tenancy). In reality, FinOps is 20% tool configuration and 80% organizational process design.