A development team uses separate AWS accounts for development, staging, and production. Team members have been launching large Amazon EC2 instances that are underutilized. A solutions architect must prevent large instances from being launched in all accounts with the LEAST operational overhead. How can the architect meet this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an organization in AWS Organizations in the management account with the default policy. Create a service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts..
Why this is the answer
The correct answer is to use AWS Organizations with a Service Control Policy (SCP). SCPs allow you to centrally manage permissions across multiple AWS accounts in your organization. By creating an SCP that denies the launch of large EC2 instances and attaching it to the relevant accounts or organizational units (OUs), you enforce this restriction uniformly with minimal operational overhead. Updating IAM policies for all users in each account would be cumbersome and error-prone, requiring manual updates across multiple accounts and users. AWS Resource Access Manager (RAM) is for sharing resources, not for preventing actions. Creating an IAM role in each account would still require managing and applying that role across all accounts, which is less efficient than a single SCP.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed