AWS Certified SysOps Administrator – Associate (legacy) — Question 741

A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations.
What should a SysOps administrator do to implement this requirement?

Answer options

• A. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
• B. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
• C. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
• D. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

Correct answer: C

Explanation

AWS Service Catalog allows organizations to centrally manage and enforce approved IT services, including specific EC2 configurations, while restricting users from launching resources outside of the catalog. By applying a launch constraint role and limiting users to AWS Service Catalog actions, the administrator ensures that business units cannot provision unapproved configurations directly via the EC2 console. Other options, such as sharing CloudFormation templates, do not natively enforce compliance or prevent users with EC2 permissions from launching unapproved instances.