Which solution meets these requirements?
Set up an AWS Lambda function that will initiate a run instance event and check for the required tags. Configure the function to prevent the launch of EC2 instances if the tags are missing.
Set up an AWS Config rule to monitor for EC2 instances that lack the required tags.
Set up a service control policy (SCP) that prevents the launch of EC2 instances that lack the required tags. Attach the SCP to the organization root.
Set up an Amazon CloudWatch alarm to stop any EC2 instances that lack the required tags.
Explanations:
AWS Lambda cannot directly prevent EC2 instance launches. While a Lambda function can monitor and act upon resource creation, it requires additional mechanisms like CloudWatch Events to trigger, making it more complex and requiring operational overhead.
AWS Config can monitor the compliance of resources but does not have the capability to prevent the creation of EC2 instances. It is useful for auditing, not for enforcement.
A Service Control Policy (SCP) can be used to prevent actions across an AWS Organization. An SCP can restrict launching EC2 instances without required tags, enforcing compliance at the organization level with minimal operational overhead.
CloudWatch alarms are used to monitor existing resources, but they do not prevent the creation of EC2 instances. While alarms can stop running instances, they do not prevent their initial launch.
I opine that the answer is:
Set up a service control policy (SCP) that prevents the launch of EC2 instances that lack the required tags. Attach the SCP to the organization root.