AWS Certified Solutions Architect – Professional (SAP-C02) — Question 383
A company orchestrates a multi-account structure on AWS by using AWS Control Tower. The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor. The company has a specific OU for development accounts that developers use to experiment on AWS. The company has hundreds of developers, and each developer has an individual development account.
The company wants to optimize costs in these development accounts. Amazon EC2 instances and Amazon RDS instances in these accounts must be burstable. The company wants to disallow the use of other services that are not relevant.
What should a solutions architect recommend to meet these requirements?
Answer options
- A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development OU.
- B. Create a custom detective control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.
- C. Create a custom preventive control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.
- D. Create an AWS Config rule in the AWS Control Tower account. Configure the AWS Config rule to allow the deployment of only burstable instances and to disallow services that are not relevant. Deploy the AWS Config rule to the development OU by using AWS CloudFormation StackSets.
Correct answer: C
Explanation
AWS Control Tower preventive guardrails are implemented using Service Control Policies (SCPs) to block unauthorized actions before they occur, making them the correct choice to disallow non-burstable instances and non-relevant services. While direct SCPs in AWS Organizations could achieve a similar restriction, managing them as custom preventive controls within AWS Control Tower ensures they are integrated with the Control Tower dashboard and framework. Detective controls and AWS Config rules only identify violations after resources are already deployed, which fails to prevent the initial cost-incurring provisioning.