Question #880
A company is running a project that launches Amazon EC2 instances larger than necessary. The project's account cannot join the company's AWS Organizations due to compliance requirements mandating operational independence. Developers in the project's account must only launch t3.medium EC2 instances restricted to the us-west-1 Region. What should a solutions architect do to fulfill these requirements?
Create a new account within AWS Organizations. Migrate all EC2 resources and users to us-west-1. Apply an SCP enforcing Region-specific resource deployment via tagging.
Create an SCP that blocks all EC2 instance launches except t3.medium in us-west-1 and attach it to the project's account.
Purchase t3.medium EC2 Reserved Instances for each developer in us-west-1 and assign tagged instances to individual developers.
Create an IAM policy that permits launching only t3.medium EC2 instances in us-west-1 and attach it to the developers' roles and groups in the project's account.
Explanation
Answer D is correct because:
1. SCPs (Option B) require the account to be part of AWS Organizations, which is prohibited here.
2. Reserved Instances (Option C) only provide billing discounts and do not enforce instance type/Region restrictions.
3. Migrating to a new account (Option A) is unnecessary and irrelevant since the existing account cannot join Organizations.
4. IAM policies (Option D) are the proper tool to enforce granular permissions within an account. By creating an IAM policy that explicitly allows only t3.medium instances in us-west-1 and attaching it to developers' roles/groups, compliance is achieved.
Key Points:
- SCPs require AWS Organizations membership.
- IAM policies control permissions at the user/role level.
- Reserved Instances do not restrict resource creation.
Answer
The correct answer is: D