AWS Certified Solutions Architect – Associate (SAA-C03) — Question 836

A development team uses multiple AWS accounts for its development, staging, and production environments. Team members have been launching large Amazon EC2 instances that are underutilized. A solutions architect must prevent large instances from being launched in all accounts.

How can the solutions architect meet this requirement with the LEAST operational overhead?

Answer options

• A. Update the IAM policies to deny the launch of large EC2 instances. Apply the policies to all users.
• B. Define a resource in AWS Resource Access Manager that prevents the launch of large EC2 instances.
• C. Create an IAM role in each account that denies the launch of large EC2 instances. Grant the developers IAM group access to the role.
• D. Create an organization in AWS Organizations in the management account with the default policy. Create a service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts.

Correct answer: D

Explanation

Using AWS Organizations and applying a Service Control Policy (SCP) at the organization level allows the solutions architect to centrally restrict instance types across all accounts with minimal administrative overhead. Managing IAM policies or roles locally in each individual account (Options A and C) would require significant manual effort and scale poorly. AWS Resource Access Manager (Option B) is designed for resource sharing across accounts and cannot be used to restrict EC2 instance launches.