Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 66 discussion

Clear - BCF - SCP is preferable over IAM

I prefer D over C as IAM cant be applied to Account

Fixed monthly budget> implement AWS budget. hence B is correct. Prevent running unnecessary services> implement SCP. hence C is correct. on F: I'm just not sure why do we want to terminate all resources and why not just don't let them run additional.

B. Use AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process. C. Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts. F. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reached. Invoke an AWS Lambda function to terminate all services.

Why Option C is Preferred to D : Centralized Control: SCPs provide a centralized way to manage permissions across all accounts in an organization, ensuring consistent enforcement of policies. Scalability: SCPs are easier to manage and scale when dealing with multiple accounts, as changes to the SCP will automatically apply to all accounts under the organization. Compliance: SCPs help ensure compliance with organizational policies by preventing the use of restricted services across all accounts.

BCF - SCP, budget and custom lambda to terminate services

BDF cannot apply scp in account, need to apply it in OU

B. Use AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process. AWS Budgets allows you to set custom cost and usage budgets that alert you when you exceed your thresholds. C. Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts. By creating an SCP that specifically denies access to costly AWS services, the company can prevent developers from launching such services, thereby helping to keep costs within the fixed monthly budget. F. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reached. Invoke an AWS Lambda function to terminate all services. While AWS Budgets cannot directly terminate services when a budget is exceeded, you can configure an alert to trigger a notification. This notification can then invoke a Lambda function designed to assess and terminate services as necessary, based on the company’s policies.

Setting a monthly cost budget with a variable target amount, with each subsequent month growing the budget target by 5 percent. Then, you can configure your notifications for 80 percent of your budgeted amount and apply an action. For example, you could automatically apply a custom IAM policy that denies you the ability to provision additional resources within an account. https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html ans :bdf

A = SCP is used to limit permission that administrator can grant IAM users/roles, SCP cannot set a fixed monthly account usage limit B = correct C = correct D = it could work, but it would required more work wrt SCP E = Budget actions cannot terminate all kind of services, actually supports 3 types of actions 1/ apply IAM policy to IAM identities, 2/ apply SCP to an OU and 3/ terminate EC2 and RDS instances F = correct

Although, C is correct, some people here says that SCP cannot be attached to an account, but it is not true, you can, the most common option when we want to deny permissions to an account is to use an IAM policy.

BCF. In Option D, we can not apply IAM policy to an AWS Account.

I'd go with BDF, since there's no mention of OU. As a rule of thumb, IAM policies to restrict are applied on Accounts, Users, Groups and SCP's on OU's.

BCF is right. I think SCP is more convenient than iam. You need to config the IAM to all account manually

prefer SCP over IAm in org accounts

It's a BCF

C - SCP would be prefer to control the services could be used in Organization's AWS accounts.