Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 492 discussion

Anytime you see Multiple AWS Accounts, and needs to consolidate is AWS Organization. Also anytime we need to restrict anything in an organization, it is SCP policies.

IN MY EXAM

B. Multiple AWS account, consolidate under one AWS Organization, top down policy (SCP) to all member account to restrict EC2 Type.

Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types.

I have a question regarding this answer, what do they mean by "development effort"?: If they mean the work it takes to implement the solution (using develop as implement), option B achieves the constraint with little administrative overhead (there is less to do to configure this option). If by "development effort", they mean less effort for the development team, when development team try to deploy instances and gets errors because they are not allowed, this generates overhead. In this case the best option is D. What did you think?

Use AWS Organizations to organize the accounts into organizational units (OUs). Define and attach a service control policy (SCP) to control the usage of EC2 instance types

BBBBBBBBB

I would choose B The other options would require some level of programming or custom resource creation: A. Developing Systems Manager templates requires development effort C. Configuring EventBridge rules and Lambda functions requires development effort D. Creating Service Catalog products requires development effort to define the allowed EC2 configurations. Option B - Using Organizations service control policies - requires no custom development. It involves: Organizing accounts into OUs Creating an SCP that defines allowed/disallowed EC2 instance types Attaching the SCP to the appropriate OUs This is a native AWS service with a simple UI for defining and managing policies. No coding or resource creation is needed. So option B, using Organizations service control policies, will meet the requirements with the least development effort.

AWS Organizations: AWS Organizations is a service that helps you centrally manage multiple AWS accounts. It enables you to group accounts into organizational units (OUs) and apply policies across those accounts. Service Control Policies (SCPs): SCPs in AWS Organizations allow you to define fine-grained permissions and restrictions at the account or OU level. By attaching an SCP to the development accounts, you can control the creation and usage of EC2 instance types. Least Development Effort: Option B requires minimal development effort as it leverages the built-in features of AWS Organizations and SCPs. You can define the SCP to restrict the use of oversized EC2 instance types and apply it to the appropriate OUs or accounts.

B for me as well