Discover how to optimize AWS data transfer and compute costs across developer accounts using Service Control Policies, CloudFormation templates, and IAM permissions for approved resource deployment.
Table of Contents
Question
A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company’s organization in AWS Organizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region. The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3.
The developer activity leads to excessive monthly data-transfer charges and NAT gateway processing charges between EC2 instances and S3 buckets, along with high compute costs. The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks.
Which solution will meet these requirements MOST cost-effectively?
A. Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints. Scope the developers’ IAM permissions so that the developers can launch VPC resources only with CloudFormation.
B. Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3 data-transfer costs across the developer accounts. When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams. If the actual budget cost is 100%, create a budget action to terminate the developers’ EC2 instances and VPC infrastructure.
C. Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances. Share the portfolio with the developer accounts. Configure an AWS Service Catalog launch constraint to use an approved IAM role. Scope the developers’ IAM permissions to allow access only to AWS Service Catalog.
D. Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts. If developers launch unapproved EC2 instances or if developers create VPCs without S3 gateway endpoints, perform a remediation action to terminate the unapproved resources.
Answer
A. Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints. Scope the developers’ IAM permissions so that the developers can launch VPC resources only with CloudFormation.
Explanation
This solution meets the requirements effectively and cost-efficiently. By creating Service Control Policies (SCPs) in AWS Organizations, the company can proactively enforce approved architectural patterns, preventing developers from launching unapproved EC2 instance types that may incur higher costs.
Providing developers with an AWS CloudFormation template for deploying an approved VPC configuration with S3 interface endpoints eliminates the need for NAT gateways and reduces data transfer costs between EC2 instances and S3 buckets. S3 interface endpoints allow private communication between EC2 instances and S3 within the same AWS Region, avoiding data transfer charges.
Scoping the developers’ IAM permissions to launch VPC resources only with CloudFormation ensures adherence to the approved architecture and prevents unauthorized resource deployment, further optimizing costs.
This approach proactively enforces best practices without negatively affecting developer productivity, as they can still perform their tasks using the approved CloudFormation templates and resource types.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.