Question #1891
A development team uses separate AWS accounts for development, testing, and production. Engineers have been deploying GPU-optimized Amazon EC2 instances that are not fully utilized. A solutions architect needs to ensure that such instances cannot be launched in any account with minimal ongoing management.
Update the IAM policies to deny the launch of GPU-optimized EC2 instances. Apply the policies to all users.
Define a resource in AWS Resource Access Manager that restricts the launch of GPU-optimized EC2 instances.
Create an IAM role in each account that denies the launch of GPU-optimized EC2 instances. Assign the role to all engineers.
Create an organization in AWS Organizations in the management account. Develop a service control policy (SCP) that blocks the launch of GPU-optimized EC2 instances, and attach it to the relevant accounts.
Explanation
Option D is correct because AWS Organizations SCPs enable account-level restrictions across an entire organization. By creating an SCP in the management account and attaching it to the relevant accounts (development, testing, production), the launch of GPU-optimized EC2 instances can be blocked globally. SCPs act as guardrails, overriding IAM policies even if users have permissions. This approach requires minimal ongoing management since the policy is applied once at the organization level.
Other options are incorrect:
- A: IAM policies are account-specific and would require manual updates in each account, which is not scalable.
- B: AWS Resource Access Manager (RAM) shares resources across accounts but does not restrict instance types.
- C: IAM roles must be assigned to users and can be bypassed if users have other permissions, making enforcement unreliable.
Key Points:
1. SCPs enforce organization-wide rules.
2. SCPs override IAM policies.
3. Minimal management is achieved through centralized control.
Answer
The correct answer is: D