How can the solutions architect meet this requirement with the LEAST operational overhead?
Update the IAM policies to deny the launch of large EC2 instances. Apply the policies to all users.
Define a resource in AWS Resource Access Manager that prevents the launch of large EC2 instances.
Create an IAM role in each account that denies the launch of large EC2 instances. Grant the developers IAM group access to the role.
Create an organization in AWS Organizations in the management account with the default policy. Create a service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts.
Explanations:
While updating IAM policies can control permissions, applying it individually to all users across accounts would increase operational overhead. IAM policies are also account-specific and would require redundant setups in each account.
AWS Resource Access Manager (RAM) is used for sharing resources across accounts, not for enforcing restrictions on instance types. RAM does not provide the capability to limit or deny specific instance launches.
Creating IAM roles in each account to deny large instance launches would require a role per account and additional management overhead. IAM roles are also not as effective as SCPs for centralized restrictions across multiple accounts.
AWS Organizations and Service Control Policies (SCPs) allow centralized control and can apply a restriction across all accounts, ensuring large instances cannot be launched with minimal operational overhead. This is the optimal solution.
From what I’ve seen, the answer is:
Create an organization in AWS Organizations in the management account with the default policy. Create a service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts.