AWS Certified Solutions Architect – Associate (SAA-C03) — Question 489

A company has multiple AWS accounts for development work. Some staff consistently use oversized Amazon EC2 instances, which causes the company to exceed the yearly budget for the development accounts. The company wants to centrally restrict the creation of AWS resources in these accounts.

Which solution will meet these requirements with the LEAST development effort?

Answer options

• A. Develop AWS Systems Manager templates that use an approved EC2 creation process. Use the approved Systems Manager templates to provision EC2 instances.
• B. Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types.
• C. Configure an Amazon EventBridge rule that invokes an AWS Lambda function when an EC2 instance is created. Stop disallowed EC2 instance types.
• D. Set up AWS Service Catalog products for the staff to create the allowed EC2 instance types. Ensure that staff can deploy EC2 instances only by using the Service Catalog products.

Correct answer: B

Explanation

Using AWS Organizations with Service Control Policies (SCPs) allows administrators to centrally restrict EC2 instance types across multiple accounts using simple, native policies with zero code development. In contrast, options involving AWS Systems Manager, AWS Lambda, or AWS Service Catalog require significant implementation and maintenance effort to create, deploy, and enforce templates, custom code, or portfolios.