Question #798
A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company's organization in AWS Organizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region.
The EC2 instances upload approximately 500 GB of data each day to Amazon DynamoDB.
The developer activity leads to excessive monthly data-transfer charges and NAT gateway processing costs between EC2 instances and DynamoDB, along with high compute costs. The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks.
Which solution will meet these requirements MOST cost-effectively?
Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with DynamoDB interface endpoints. Scope the developers' IAM permissions so that the developers can launch VPC resources only with CloudFormation.
Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and DynamoDB data-transfer costs across the developer accounts. When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams. If the actual budget cost is 100%, create a budget action to terminate the developers' EC2 instances and VPC infrastructure.
Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with DynamoDB gateway endpoints and approved EC2 instances. Share the portfolio with the developer accounts. Configure an AWS Service Catalog launch constraint to use an approved IAM role. Scope the developers' IAM permissions to allow access only to AWS Service Catalog.
Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts. If developers launch unapproved EC2 instances or if developers create VPCs without DynamoDB gateway endpoints, perform a remediation action to terminate the unapproved resources.
Explanation
Option C is correct because AWS Service Catalog enables centralized management of approved IT services, ensuring developers deploy compliant VPC configurations (with DynamoDB gateway endpoints) and EC2 instances. Gateway endpoints eliminate NAT gateway costs and reduce data-transfer charges. By restricting IAM permissions to AWS Service Catalog, developers cannot bypass approved patterns, enforcing cost optimization proactively. Other options are less effective: Option A relies on SCPs and CloudFormation but does not fully prevent manual misconfigurations. Option B uses reactive budget alerts, which do not enforce architecture. Option D uses AWS Config for post-deployment remediation, which risks disruptions and delays. Service Catalog balances compliance, cost efficiency, and developer agility.
Answer
The correct answer is: C