Which solution will meet these requirements with the LEAST development effort?
Develop AWS Systems Manager templates that use an approved EC2 creation process. Use the approved Systems Manager templates to provision EC2 instances.
Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types.
Configure an Amazon EventBridge rule that invokes an AWS Lambda function when an EC2 instance is created. Stop disallowed EC2 instance types.
Set up AWS Service Catalog products for the staff to create the allowed EC2 instance types. Ensure that staff can deploy EC2 instances only by using the Service Catalog products.
Explanations:
Developing AWS Systems Manager templates for provisioning EC2 instances can help standardize instance creation, but it requires significant development effort to create, maintain, and enforce the templates across multiple accounts. This approach does not inherently restrict instance types at the organizational level.
Using AWS Organizations to define organizational units (OUs) and attaching service control policies (SCPs) allows for centralized control over what AWS resources can be created in each account. This method requires minimal development effort and effectively restricts the creation of oversized EC2 instances by defining allowed instance types through SCPs.
While configuring an Amazon EventBridge rule to invoke a Lambda function can stop disallowed EC2 instance types after creation, it does not prevent their creation in the first place. This approach also involves ongoing management and can lead to additional costs and complexity without providing a proactive restriction on resource types.
Setting up AWS Service Catalog products can provide a controlled way for staff to deploy allowed EC2 instance types. However, it still requires significant initial setup and ongoing management. It does not offer a blanket restriction on instance types at an organizational level as SCPs do, making it less efficient for the requirement of centralized control.
As I see it, the answer is:
Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types.