A company uses multiple AWS accounts for development. Some staff repeatedly launch oversized Amazon EC2 instances, causing the development accounts to exceed the annual budget. The company wants to centrally restrict which AWS resources can be created in these accounts. Which solution meets the requirement with the LEAST development effort?
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Organizations to group the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to restrict which EC2 instance types can be used..
Why this is the answer
The correct answer is to use AWS Organizations with Service Control Policies (SCPs). SCPs allow you to centrally manage permissions across multiple AWS accounts in your organization. By attaching an SCP to an Organizational Unit (OU) that contains the development accounts, you can explicitly deny the creation of oversized EC2 instance types, effectively restricting resource creation at a high level without modifying individual account permissions. This is the least development effort because it's a policy-based solution applied once at the organizational level. Developing AWS Systems Manager templates requires creating and maintaining custom templates and enforcing their use, which is more effort. Configuring an Amazon EventBridge rule with a Lambda function is reactive; it stops disallowed instances after they are launched, incurring brief costs and requiring more development and maintenance. Setting up AWS Service Catalog products requires defining and maintaining products and mandating their use, which is also more development effort.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed