exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 791 discussion

A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.
While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. The solutions architect finds out that the company's developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.
The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.
Which solution will meet these requirements?

  • A. Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.
  • B. In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers' IAM accounts.
  • C. Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers
  • D. Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
bkrish
Highly Voted 2 years, 7 months ago
Selected Answer: C
This is doable with IAM policy creation to restrict users to specific instance types. Found the below article. https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy
upvoted 8 times
...
Simon523
Most Recent 1 year, 3 months ago
Selected Answer: C
CREATE AN IAM POLICY TO RESTRICT EC2 USAGE BY FAMILY https://www.wellarchitectedlabs.com/cost/200_labs/200_2_cost_and_usage_governance/3_ec2_restrict_family/
upvoted 1 times
...
Heer
1 year, 10 months ago
OPTION C A solution that would meet these requirements is to use AWS Identity and Access Management (IAM) policies to restrict the instance types that developers can launch. The solutions architect can create IAM policies that only allow the launch of specific instance types and attach those policies to the IAM roles that the developers use. This will ensure that developers are only able to launch the instance types that are appropriate for their use case.
upvoted 1 times
...
Ni_yot
2 years, 1 month ago
should be C
upvoted 1 times
...
gnic
2 years, 3 months ago
Selected Answer: C
It's C - AWS Config is for monitoring and alert, it doesn't prevent.
upvoted 1 times
...
hilft
2 years, 4 months ago
C. tkanmani76 is right.
upvoted 3 times
...
Ni_yot
2 years, 9 months ago
will go with B. Better to restrict using IAM groups.
upvoted 1 times
Ni_yot
2 years, 1 month ago
its C my bad
upvoted 1 times
...
...
feddo
2 years, 11 months ago
Could this not be done with either AWS Config or an IAM Policy? Wouldn't both A and C be options in this case? I am not sure why I would pick one over the other here...
upvoted 1 times
tkanmani76
2 years, 10 months ago
Its C - Option A doesnt restrict only for devs. It would impact everyone.
upvoted 11 times
wahlbergusa
2 years, 10 months ago
AWS Config is also a detection engine. You can automate things in the backend to correct whatever needs to be corrected. But it cannot prefent it from happening.
upvoted 6 times
sodasu
2 years, 1 month ago
Right! →https://aws.amazon.com/tw/config/faq/ --- Q: Does the service prevent users from taking non-compliant actions? Config rules do not directly affect how end-users consume AWS. Config rules evaluate resource configurations only after a configuration change has been completed and recorded by AWS Config. Config rules do not prevent the user from making changes that could be non-compliant. To control what a user can provision on AWS and configuration parameters allowed during provisioning, please use AWS Identity and Access Management (IAM) Policies and AWS Service Catalog respectively.
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...