Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead?
Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts.
Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non- certified services when found in a production account.
Explanations:
AWS Config can help in identifying non-compliant resources, but it doesn’t actively prevent the usage of services in production accounts. Periodic shutdown may also lead to disruptions and added complexity.
Service Control Policies (SCPs) allow you to define the use of specific services within organizational units. Applying a restrictive policy to production accounts and a more permissive one to development accounts is the most efficient way to control service usage with minimal administrative overhead.
IAM policies can control service access based on user roles and account, but this approach can be overly complex and harder to manage for a large number of accounts or services. It also doesn’t scale well across multiple accounts in AWS Organizations.
CloudWatch monitoring and Lambda automation can identify and terminate non-compliant services, but it requires additional setup, continuous monitoring, and incurs operational overhead. It is not a proactive prevention method.
As far as I’m aware, the answer is:
Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.