Question #595
A company using AWS Organizations provides developers with sandbox accounts for testing. Developers request accounts using their corporate email, and the company wants to enforce cost controls by preventing the use of expensive services and implementing a fixed quarterly budget that automatically stops resources when exceeded.
Which combination of steps will meet these requirements? (Choose three.)
Create an SCP to enforce a quarterly spending limit. Apply the SCP to the sandbox accounts.
Use AWS Budgets to configure a fixed quarterly budget for each sandbox account during account provisioning.
Create an SCP to block access to high-cost services. Apply the SCP to the sandbox accounts.
Develop an IAM policy to restrict access to costly services. Attach the policy to sandbox account roles.
Configure an AWS Budgets action to stop all resources directly when the budget is exceeded.
Set up an AWS Budgets alert to trigger an Amazon SNS notification at the budget threshold. Use AWS Lambda to terminate all sandbox resources.
Explanation
To meet the requirements:
1. AWS Budgets (B) configures fixed quarterly budgets during provisioning, ensuring cost visibility.
2. SCP (C) centrally blocks access to expensive services across all sandbox accounts via AWS Organizations.
3. Budgets + Lambda (F) triggers an SNS alert at the threshold, invoking Lambda to terminate resources automatically.
Why others are incorrect:
- A: SCPs cannot enforce spending limits; they control service access.
- D: IAM policies are account-specific and less scalable than SCPs.
- E: AWS Budgets cannot directly stop resources; automation (Lambda) is required.
Key Points:
- Use SCPs for service restrictions in Organizations.
- AWS Budgets manages budgets and alerts.
- Automate resource termination via Lambda triggered by Budgets alerts.
Answer
The correct answer is: BCF