Which solution will meet these requirements?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud.A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs.The solutions architect finds out that the company’s developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.

Which solution will meet these requirements?

Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.

In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers’ IAM accounts.

Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers

Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.

Explanations:

While AWS Config can help monitor compliance with rules, it does not prevent the launch of instances; it can only alert or enforce compliance post-launch. Therefore, it does not effectively limit the instance types developers can use at the time of launching instances.

Creating a launch template can standardize the launch parameters for instances, but it does not enforce restrictions on the instance types that can be launched. Developers may still have access to launch other types of instances if they have the necessary IAM permissions.

By creating an IAM policy that specifies the allowed instance types and attaching this policy to an IAM group containing the developers, the company can effectively restrict which instance types can be launched by those developers. This approach directly controls permissions and is in alignment with AWS best practices.

EC2 Image Builder is used to automate the creation of Amazon Machine Images (AMIs), but it does not inherently limit the types of instances that can be launched. This solution does not address the requirement to restrict instance types.

2026-03-18

2 Comments

  1. Nathan
    Author

    From my point of view, the answer is:
    Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers

  2. Gregory
    Author

    I guess:
    Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers

Leave a Reply to Gregory Cancel reply

Your email address will not be published. Required fields are marked *

thirteen − three =