AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company has multiple AWS accounts for development work. Some staff consistently use oversized Amazon EC2 instances, which causes the company to exceed the yearly budget for the development accounts. The company wants to centrally restrict the creation of AWS resources in these accounts.
Which solution will meet these requirements with the LEAST development effort?
Other
Community
UAnonymous
A
Develop AWS Systems Manager templates that use an approved EC2 creation process. Use the approved Systems Manager templates to provision EC2 instances.
B
Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types.
C
Configure an Amazon EventBridge rule that invokes an AWS Lambda function when an EC2 instance is created. Stop disallowed EC2 instance types.
D
Set up AWS Service Catalog products for the staff to create the allowed EC2 instance types. Ensure that staff can deploy EC2 instances only by using the Service Catalog products.
Explanation:
Explanation
Correct Answer: B
Why Option B is the best solution with the LEAST development effort:
- AWS Organizations with Service Control Policies (SCPs) provides a centralized, account-level control mechanism that requires minimal development effort.
- SCPs are deny-based policies that can restrict which EC2 instance types can be launched across multiple accounts without requiring any custom code.
- Once configured at the OU level, the policy automatically applies to all accounts within that OU, ensuring consistent enforcement.
- No development or maintenance of custom templates, functions, or products is required.
Why other options are not optimal:
- Option A (AWS Systems Manager templates): Requires developing and maintaining custom templates, and ensuring staff use them instead of the AWS Console or CLI.
- Option C (EventBridge + Lambda): Requires developing, testing, and maintaining Lambda functions, and this approach is reactive (instances are created then stopped) rather than preventive.
- Option D (AWS Service Catalog): Requires setting up and maintaining Service Catalog products, and ensuring staff can only use these products (which may require additional IAM policies).
Key AWS Concepts:
- Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to set permission guardrails for what actions users and roles can do in member accounts.
- SCPs work at the organizational unit (OU) level, making them ideal for centrally managing policies across multiple accounts.
- SCPs use the same policy syntax as IAM, making them familiar to AWS administrators.
Example SCP Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t3.micro",
"t3.small",
"t3.medium"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t3.micro",
"t3.small",
"t3.medium"
]
}
}
}
]
}
This SCP would deny the creation of EC2 instances unless they are of the specified instance types (t3.micro, t3.small, or t3.medium).
Comments
Loading comments...