What should a solutions architect recommend to meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company orchestrates a multi-account structure on AWS by using AWS Control Tower.The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor.The company has a specific OU for development accounts that developers use to experiment on AWS.The company has hundreds of developers, and each developer has an individual development account.The company wants to optimize costs in these development accounts.Amazon EC2 instances and Amazon RDS instances in these accounts must be burstable.The company wants to disallow the use of other services that are not relevant.

What should a solutions architect recommend to meet these requirements?

Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development OU.

Create a custom detective control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.

Create a custom preventive control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.

Create an AWS Config rule in the AWS Control Tower account. Configure the AWS Config rule to allow the deployment of only burstable instances and to disallow services that are not relevant. Deploy the AWS Config rule to the development OU by using AWS CloudFormation StackSets.

Explanations:

While creating a custom SCP (Service Control Policy) to restrict resources could control the types of EC2 and RDS instances, SCPs are primarily used to manage permissions and do not prevent the creation of resources. They only restrict actions based on the policies set. This option does not effectively enforce the burstable instance requirement or disallow irrelevant services at a deployment level.

A custom detective control (guardrail) in AWS Control Tower is used for monitoring and reporting compliance, but it does not prevent actions. This option would not stop developers from deploying non-burstable instances or irrelevant services; it would only alert on such actions after they occur. Therefore, it does not meet the requirement of disallowing unwanted resources.

A custom preventive control (guardrail) in AWS Control Tower can actively enforce policies by preventing the deployment of non-compliant resources. Configuring this control to allow only burstable instances while disallowing other services ensures compliance at the point of deployment, effectively meeting the company’s requirements. This control can be applied to the development OU, making it the most appropriate choice.

An AWS Config rule can monitor compliance and provide alerts if non-burstable instances or irrelevant services are deployed, but it does not prevent such actions from occurring. Therefore, it fails to meet the requirement for enforcement during resource creation, making it ineffective for the stated objectives.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × three =