What should a SysOps administrator do to implement this requirement?
Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.
Explanations:
An EC2 instance launch configuration is not a valid resource in AWS. Instead, EC2 instances are launched using AMIs, instance types, and other parameters. Launch configurations are used for Auto Scaling groups, not individual EC2 instance provisioning.
IAM policies cannot enforce specific EC2 instance configurations directly. While IAM policies can restrict what actions users can take, they don’t specify approved instance configurations. Using AWS CloudFormation templates would require more than just IAM policies and would need to be implemented differently.
AWS Service Catalog allows for the creation of approved products (such as specific EC2 configurations). By creating a Service Catalog product and launch constraint, the SysOps administrator can enforce the use of predefined EC2 configurations. This limits business units to only launch approved configurations.
Sharing an AWS CloudFormation template is not sufficient by itself to enforce approved EC2 configurations. The business units would still have the flexibility to modify the CloudFormation template, which doesn’t guarantee that only approved configurations are used. Additionally, passing a role to CloudFormation is not a restriction method for enforcing configurations.
I scheme that the answer is:
Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.