Answer-first summary for fast verification
Answer: Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances Share the portfolio with the developer accounts Configure an AWS Service Catalog launch constraint to use an approved IAM role Scope the developers' IAM permissions to allow access only to AWS Service Catalog
Option D is the correct answer because it addresses the requirements of the company in a comprehensive and cost-effective manner: 1. **Proactive Control with AWS Service Catalog:** - **AWS Service Catalog** allows you to create and manage a catalog of IT services that are approved for use on AWS. This ensures that developers can only deploy pre-approved infrastructure patterns. - It provides a way to enforce architectural standards through controlled and preconfigured resources without manual oversight each time a resource is deployed. 2. **Approved VPC Configuration:** - By sharing an AWS Service Catalog portfolio with the developer accounts that include an approved VPC configuration with S3 gateway endpoints, you eliminate the data transfer costs between EC2 instances and S3. This is because data transfer between the same region and utilizing S3 endpoints is free. 3. **IAM Role Constraints:** - Configuring an AWS Service Catalog launch constraint with an approved IAM role ensures that the deployed resources adhere to the company's security and compliance requirements. - Developers' permissions are scoped to only allow access to AWS Service Catalog, ensuring they can only deploy resources that conform to predefined standards. 4. **Cost Efficiency:** - Using gateway endpoints for S3 access significantly reduces the NAT gateway processing charges, as traffic to S3 no longer incurs NAT usage. - Providing developers with a catalog of approved EC2 instances ensures they are using cost-effective instance types without the need for constant monitoring and manual intervention. 5. **Speed and Ease for Developers:** - The use of AWS Service Catalog allows developers to quickly and easily deploy the resources they need without cumbersome approval processes, thereby maintaining their productivity. - It provides a seamless way to enforce best practices without introducing significant overheads or delays in the developer workflow. Overall, this option ensures compliance with a predefined, cost-effective architecture while maintaining the speed and efficiency of the development process.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company's organization in AWS Organizations Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3 The developer activity leads to excessive monthly data- transfer charges and NAT gateway processing charges between EC2 instances and S3 buckets, along with high compute costs The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks . Which solution will meet these requirements MOST cost-effectively?
A
Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts If developers launch unapproved EC2 instances or if developers create VPCs without S3 gateway endpoints perform a remediation action to terminate the unapproved resources
B
Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3 datatransfer costs across the developer accounts When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams If the actual budget cost is 100%. create a budget action to terminate the developers' EC2 instances and VPC infrastructure
C
Create SCPs to prevent developers from launching unapproved EC2 instance types Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints Scope the developers* IAM permissions so that the developers can launch VPC resources only with CloudFormation
D
Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances Share the portfolio with the developer accounts Configure an AWS Service Catalog launch constraint to use an approved IAM role Scope the developers' IAM permissions to allow access only to AWS Service Catalog