SAP-C02 第 269 题
题目
A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company's organization in AWS Organizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region. The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3. The developer activity leads to excessive monthly data-transfer charges and NAT gateway processing charges between EC2 instances and S3 buckets, along with high compute costs. The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks. Which solution will meet these requirements MOST cost-effectively?
中文翻译:
一家公司希望优化 AWS Organizations 中该公司组织内开发人员账户之间的 AWS 数据传输成本和计算成本。开发人员可以在单个 AWS 区域中配置 VPC 并启动 Amazon EC2 实例。 EC2 实例每天从 Amazon S3 检索大约 1 TB 的数据。开发人员的活动导致 EC2 实例和 S3 存储桶之间每月产生过高的数据传输费用和 NAT 网关处理费用,以及高昂的计算成本。该公司希望为开发人员在 AWS 账户中部署的任何 EC2 实例和 VPC 基础设施主动实施经批准的架构模式。该公司不希望这种强制执行对开发人员执行任务的速度产生负面影响。哪种解决方案能够最具成本效益地满足这些要求?
选项
A. Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints. Scope the developers' IAM permissions so that the developers can launch VPC resources only with CloudFormation.
中文翻译:
创建 SCP 以防止开发人员启动未经批准的 EC2 实例类型。为开发人员提供 AWS CloudFormation 模板,以使用 S3 接口终端节点部署经过批准的 VPC 配置。限制开发人员的 IAM 权限范围,以便开发人员只能使用 CloudFormation 启动 VPC 资源。
B. Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3 data-transfer costs across the developer accounts. When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams. If the actual budget cost is 100%, create a budget action to terminate the developers' EC2 instances and VPC infrastructure.
中文翻译:
使用 AWS Budgets 创建每日预测预算,以监控跨开发人员账户的 EC2 计算成本和 S3 数据传输成本。当预测成本为实际预算成本的75%时,向开发团队发送警报。如果实际预算成本为 100%,则创建预算操作以终止开发人员的 EC2 实例和 VPC 基础设施。
C. Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances. Share the portfolio with the developer accounts. Configure an AWS Service Catalog launch constraint to use an approved IAM role. Scope the developers' IAM permissions to allow access only to AWS Service Catalog.
中文翻译:
创建一个 AWS Service Catalog 产品组合,用户可以使用该组合来创建具有 S3 网关终端节点和批准的 EC2 实例的批准的 VPC 配置。与开发者帐户共享产品组合。配置 AWS Service Catalog 启动约束以使用已批准的 IAM 角色。将开发人员的 IAM 权限范围限制为仅允许访问 AWS Service Catalog。
D. Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts. If developers launch unapproved EC2 instances or if developers create VPCs without S3 gateway endpoints, perform a remediation action to terminate the unapproved resources.
中文翻译:
创建和部署 AWS Config 规则以监控开发人员 AWS 账户中 EC2 和 VPC 资源的合规性。如果开发人员启动未经批准的 EC2 实例,或者开发人员创建没有 S3 网关端点的 VPC,请执行修复操作以终止未经批准的资源。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 创建一个 AWS Service Catalog 产品组合,用户可以使用该组合来创建具有 S3 网关终端节点和批准的 EC2 实例的批准的 VPC 配置。与开发者帐户共享产品组合。配置 AWS Service Catalog 启动约束以使用已批准的 IAM 角色。将开发人员的 IAM 权限范围限制为仅允许访问 AWS Service Catalog。 选择理由: 该选项最直接地满...