Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 883 discussion

My first instinct says B, but Im concerned about the central management abilities of AWS Budgets. It seems that even though it is not planned to be used primarily to control other accounts its still possible: "You can use actions to define an explicit response that you want to take when a budget exceeds its action threshold. You can trigger these alerts on actual or forecasted cost and usage budgets. 1. The management account sets the budget and threshold for the member account using budget filters. 2. When the budget threshold is breached, a budget action applies a restrictive SCP on the OU. So hopefully B :D

AnswerB https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html Taking into consideration that AWS Budgets is allowing to will inform you that you exceeded budged and execute actions like for example IAM actions to prevent running new resources in cloud, I think this option is a good and resonable move. In case of need budged can be always increased and "chains" disabled.

A - Tags help monitor costs, and AWS Config can enforce tagging rules, but manually tagging is TOO MUCH WORK. B - Preventive (aka not reactive) cost control, good. Too provocative? Yeah, maybe. Developers might experience disruption if they hit their budget limits unexpectedly, and then the cost a little over the budget might not seem like a problem anymore... BUT this is actually a preventive approach with "the LEAST operational overhead". C - "Daily reports" might be too late. D - It can limit resource usage during non-working hours, but overall, you gotta deal with high operational overhead.

As beautifully explained in this article: https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-controls.html

(A) is eliminated. 'send a daily report to each developer' can be ignored. (C) is eliminated. 'detect anomalous spending' won't stop the spending. (D) is eliminated. 'stop running resources at the end of each work day' won't stop developers from mining bitcoin ($$$) the next day. (B) is correct. 'actions to apply a DenyAll policy..' is the only solution that will 'implement controls to limit AWS resource costs that the developers incur.'

Seem AWS Budgets does not have DenyAll function but only Apply a custom Deny IAM policy that restricts the ability for a user, group, or role to provision additional Amazon EC2 resources

B and D are too aggressive. A - "Instruct each developer", nope, too much operational work.