What should a solutions architect do to meet these requirements?
Create a new developer account. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company’s organization in AWS Organizations. Enforce a tagging policy that denotes Region affinity.
Create an SCP that denies the launch of all EC2 instances except t3.small EC2 instances in us-east-2. Attach the SCP to the project’s account.
Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.
Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.
Explanations:
This option suggests adding the account to AWS Organizations, but the account cannot be part of the company’s organization due to policy restrictions. Additionally, a tagging policy does not restrict instance types or Regions.
Service Control Policies (SCPs) apply only within AWS Organizations, but the project’s account is outside the organization’s structure due to policy restrictions, so an SCP cannot be used in this scenario.
Purchasing Reserved Instances does not prevent developers from launching other instance types. This approach only provides cost savings for specific instance types, without enforcing restrictions.
An IAM policy can be applied directly within the project’s account to restrict the launch of only t3.small instances in the us-east-2 Region, meeting the requirements without involving AWS Organizations.
I plan that the answer is:
Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.