SOA-C02: What should SysOps do to provision EC2 instances by using only approved configurations

Question

A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations. What should a SysOps administrator do to implement this requirement?

A. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
B. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
C. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
D. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

Answer

C. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.

Explanation

The correct answer is C. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.

AWS Service Catalog is a service that enables you to create and manage catalogs of IT services that are approved for use on AWS. You can use AWS Service Catalog to define and enforce consistent governance and compliance policies across your organization. You can also use AWS Service Catalog to provide your users with self-service access to the IT services that they need, while ensuring that they follow your best practices and standards.

To use AWS Service Catalog, you need to create a portfolio, which is a collection of products and configuration options that you want to offer to your users. A product is an IT service that you want to provision, such as an EC2 instance, a database, or an application. You can create a product by using a CloudFormation template that describes the resources and their properties that you want to create. You can also add constraints to a product, which are rules that govern the use of the product, such as launch constraints, template constraints, or tag update constraints. A launch constraint is a type of constraint that specifies an IAM role that AWS Service Catalog assumes when launching or updating the product. This role defines the permissions that are required to provision the product.

To publish a product and launch constraint role for EC2 instances by using AWS Service Catalog, you need to follow these steps:

1. Create an IAM role that has the permissions to launch and manage EC2 instances. This role will be used as the launch constraint role for your product.
2. Create a CloudFormation template that defines the approved EC2 instance configurations that you want to offer to your users. This template will be used as the source for your product.
3. Create a portfolio in AWS Service Catalog and give it a name and a description.
4. Add the CloudFormation template as a product to your portfolio and give it a name and a description.
5. Add a launch constraint to your product and specify the IAM role that you created as the launch constraint role.
6. Share your portfolio with the business units that you want to grant access to your product. You can share your portfolio by using AWS Organizations, IAM principals, or IAM roles.
7. Allow the business units to perform actions in AWS Service Catalog only. You can do this by creating an IAM policy that grants them permissions to list, view, and launch products from your portfolio, but denies them permissions to create or modify any resources outside of AWS Service Catalog.

By using this solution, you can provision an additional environment for an application in four additional AWS Regions using CloudFormation and an AMI. This solution meets the requirements of the company, as it allows them to require all business units to provision their EC2 instances by using only approved EC2 instance configurations. This solution is also the most operationally efficient one, as it does not require them to use any additional services or tools. It also leverages the existing functionality and scalability of AWS Service Catalog and CloudFormation.

The other options are not correct for the following reasons:

A. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.

This option is not correct, as it does not enforce consistent governance and compliance policies across the organization. A launch configuration is a template that defines the configuration information for launching EC2 instances in an Auto Scaling group. However, a launch configuration does not prevent the business units from launching EC2 instances outside of Auto Scaling or modifying the instance configurations after launching them.

B. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.

This option is not correct, as it does not ensure that the business units will use only approved EC2 instance configurations. An IAM policy is a document that defines the permissions for an IAM user, group, or role. However, an IAM policy does not specify which CloudFormation template or which EC2 instance configurations the business units should use when launching instances.

D. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.

This option is not correct, as it does not provide self-service access or consistent governance for the business units. Sharing a CloudFormation template with the business units does not guarantee that they will use it or follow it correctly when launching instances. Passing a role to CloudFormation does not prevent the business units from creating or modifying any resources outside of CloudFormation.

Reference

• Compute – Amazon EC2 Instance Types – AWS
• A Brief Guide To And Comparison Of Amazon EC2 Instance Types – VMware Aria Cost powered by CloudHealth
• Instance types – Amazon Elastic Compute Cloud
• Getting Started with Amazon EC2

Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.