What should a solutions architect do to meet these requirements?
Create a new developer account. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company’s organization in AWS Organizations. Enforce a tagging policy that denotes Region affinity.
Create an SCP that denies the launch of all EC2 instances except t3.small EC2 instances in us-east-2. Attach the SCP to the project’s account.
Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.
Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.
Explanations:
Creating a new developer account and moving resources does not enforce the restriction on instance types or regions. Additionally, adding the account to AWS Organizations contradicts the requirement to keep the project outside of corporate IT.
Service Control Policies (SCPs) can restrict actions in AWS Organizations, but since the project account cannot be part of the organization, this option is not applicable. SCPs do not work on standalone accounts.
Purchasing Reserved Instances does not restrict the instance types that can be launched by developers. It merely allows for cost savings if specific instance types are utilized, but does not enforce compliance with the t3.small instance type requirement.
Creating an IAM policy that allows only the launch of t3.small EC2 instances in us-east-2 directly enforces the requirement at the user level. Attaching this policy to roles and groups used by developers ensures that only the specified instance type and region can be launched, meeting the project’s constraints.