Q68 — AWS SAP-C02 Ch.3

Question 68 of 75 | ← Chapter 3

Q293. A company orchestrates a multi-account structure on AWS by using AWS Control Tower. The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor. The company has a specific OU for development accounts that developers use to experiment on AWS. The company has hundreds of developers. and each developer has an individual development account. The company wants to optimize costs in these development accounts.Amazon EC2instances and Amazon RDS instances in these accounts must be burstable. The company wants to disallow the use of other services that are not relevant. What should a solutions architect recommend to meet these requirements?

Correct Answer: A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development Ou

Explanation

A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development OU. The most suitable recommendation to meet the requirements of optimizing costs in development accounts, allowing burstable instances, and disallowing irrelevant services is to create a custom SCP (Service Control Policy) in AWS Organizations and apply it to the development OU. Here's the rationale behind this choice: Option A suggests creating a custom SCP in AWS Organizations. SCPs are used to define fine-grained permissions and restrictions on AWS accounts within an organization. By creating a custom SCP, the solutions architect can configure it to allow the deployment of only burstable instances, which helps optimize costs by utilizing burstable performance when needed. Additionally, the SCP can be configured to disallow services that are not relevant, ensuring that developers are limited to using only the necessary services. Applying the SCP to the development OU ensures that it is enforced specifically for the developer accounts within that OU. This allows for granular control and optimization of resources within the development accounts. Option B suggests creating a custom detective guardrail in AWS Control Tower. While detective guardrails can help identify potential issues and provide recommendations for remediation, they are not the most suitable solution for actively controlling resource deployment and restricting services. Option C suggests creating a custom preventive guardrail in AWS Control Tower. Preventive guardrails are used to automatically remediate non-compliant resources. While they can help enforce policies, they may not provide the fine-grained control required for allowing burstable instances and disallowing specific services. Option D suggests creating an AWS Config rule in the AWS Control Tower account. While AWS Config rules can evaluate resource configurations against predefined rules, they are not the most appropriate solution for actively controlling resource deployment or restricting services. Therefore, the most suitable choice for meeting the requirements of optimizing costs, allowing burstable instances, and disallowing irrelevant services in development accounts would be: A. Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development OU.