Which solution will meet these requirements?
Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.
In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers’ IAM accounts.
Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers
Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.
Explanations:
While creating a desired-instance-type managed rule in AWS Config can help monitor compliance, it does not prevent developers from launching any instance type. This option is more focused on post-launch compliance rather than pre-launch control.
Creating a launch template to specify allowed instance types is a good practice, but it doesn’t enforce restrictions on what developers can launch. Developers may still bypass this template if they manually select different instance types during launch.
This option is the most effective. By creating an IAM policy that explicitly specifies the allowed instance types and attaching it to an IAM group that contains the developers, you can enforce limits on which EC2 instances they are permitted to launch, thus controlling costs effectively.
EC2 Image Builder is useful for creating and managing custom images but does not limit the instance types developers can launch. This option does not address the requirement to control instance type selection.
I have a feeling that the answer is:
Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers