AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company uses AWS Organizations with a management (payer) account and several member accounts, including a development account that has a monthly AWS budget of USD 10,000. You must ensure that if the forecasted spend for the development account reaches 100 percent of this budget, the account is prevented from launching any new Amazon EC2 or Amazon RDS resources while allowing existing workloads to continue running. The CFO must manually approve the enforcement action before it is applied, and the entire solution must be operated centrally from the management account with minimal operational effort.
Which solution will achieve this goal?
In the development account, configure an AWS Budgets cost budget with a 100 percent forecasted threshold and attach an IAM policy that automatically denies ec2:RunInstances and rds:CreateDBInstance when the threshold is reached.
In the management account, create an AWS Budgets cost budget scoped to the development account with a 100 percent forecasted-cost threshold. Attach a budget action that applies a Deny SCP preventing ec2:RunInstances and rds:CreateDBInstance, and configure the action to require manual approval.
Use AWS Cost Anomaly Detection in the management account to monitor the development account, send anomaly events to an SNS topic, and trigger a Lambda function that attaches an SCP blocking new EC2 and RDS provisioning.
Create an Amazon CloudWatch billing alarm in the development account for estimated charges of USD 10,000 and invoke AWS Systems Manager Automation to stop Amazon EC2 and Amazon RDS instances when the alarm fires.
AWS Budgets supports forecast-based thresholds and can run budget actions such as attaching a service control policy (SCP). From the management account you can scope a budget to a member account, set a threshold on forecasted spend, and attach an SCP that denies ec2:RunInstances and rds:CreateDBInstance. When the action is configured to require approval, the CFO can review and run (or cancel) the action from the Budget details page. This blocks creation of new resources without stopping existing ones and meets all central-governance and low-effort requirements.
The second option is created inside the development account, so it cannot be centrally governed and an IAM policy would not stop principals from removing or bypassing it. The third option relies on Cost Anomaly Detection and a custom Lambda workflow, which is more complex and reactive rather than forecast-based. The fourth option stops running instances instead of preventing new launches and does not provide an approval workflow or central control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an SCP (Service Control Policy) in AWS Organizations?
Open an interactive chat with Bash
How does AWS Budgets integrate with SCPs for budget actions?
Open an interactive chat with Bash
Why is the AWS Budgets solution better for this use case than using IAM policies or Lambda?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access