Which solution will meet these requirements?
Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.
In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers’ IAM accounts.
Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers
Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.
Explanations:
While AWS Config can help monitor compliance with rules, it does not prevent the launch of instances; it can only alert or enforce compliance post-launch. Therefore, it does not effectively limit the instance types developers can use at the time of launching instances.
Creating a launch template can standardize the launch parameters for instances, but it does not enforce restrictions on the instance types that can be launched. Developers may still have access to launch other types of instances if they have the necessary IAM permissions.
By creating an IAM policy that specifies the allowed instance types and attaching this policy to an IAM group containing the developers, the company can effectively restrict which instance types can be launched by those developers. This approach directly controls permissions and is in alignment with AWS best practices.
EC2 Image Builder is used to automate the creation of Amazon Machine Images (AMIs), but it does not inherently limit the types of instances that can be launched. This solution does not address the requirement to restrict instance types.
From my point of view, the answer is:
Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers