A development team uses multiple AWS accounts for its development, staging, and production environments. Team members have been launching large Amazon EC2 instances that are underutilized. A solutions architect must prevent large instances from being launched in all accounts.
How can the solutions architect meet this requirement with the LEAST operational overhead?
The best way to prevent the launch of large EC2 instances in multiple AWS accounts with minimal operational overhead is to create an organization in AWS Organizations in the management account and apply a service control policy (SCP) that denies the launch of large EC2 instances. By applying the SCP at the organizational level, you ensure that the restriction is uniformly enforced across all accounts without the need to update IAM policies or roles individually in each account. This approach centralizes management and reduces complexity, which in turn lowers the operational overhead.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html