While preparing for the AWS SAP-C02, many candidates get confused by Cost Governance in AWS Organizations. In the real world, this is fundamentally a decision about Preventive Controls (SCPs) vs. Reactive Automation (Budgets + Lambda). The exam tests whether you understand that SCPs cannot set spending limits—they control permissions, not costs. Let’s drill into a simulated scenario.
The Scenario #
TechNova Labs, a SaaS startup, uses AWS Organizations to manage its multi-account environment. The company operates a Developer Sandbox Landing Zone where engineers can request AWS accounts using their corporate email to prototype new features. Leadership wants to foster innovation but is concerned about:
- Runaway Costs: Developers accidentally leaving expensive EC2 instances or RDS clusters running.
- Service Sprawl: Engineers enabling high-cost services (e.g., SageMaker, Redshift) that aren’t needed for prototyping.
- Budget Predictability: Each developer must operate within a fixed $500/month budget.
The company needs a solution that:
- Prevents access to unnecessary high-cost services.
- Enforces a hard monthly spending limit per developer account.
- Automatically terminates resources when the budget is exceeded.
Key Requirements #
Design a cost governance framework that:
- Blocks developers from launching prohibited services.
- Sets a fixed monthly budget of $500 per account.
- Automatically shuts down all resources when the budget threshold is reached.
The Options #
A) Create an SCP to set a fixed monthly account usage limit and apply it to the developer accounts.
B) During account creation, use AWS Budgets to create a fixed monthly budget for each developer account.
C) Create an SCP to deny access to high-cost services and components, and apply it to the developer accounts.
D) Create an IAM policy to deny access to high-cost services and components, and attach it to developer IAM roles.
E) Create an AWS Budget alert action to terminate services when the budget is reached, configured to stop all running services.
F) Create an AWS Budget alert action to send an Amazon SNS notification when the budget is reached, triggering an AWS Lambda function to terminate all services.
Correct Answer #
B, C, F
Step-by-Step Winning Logic #
-
Option B (AWS Budgets):
- AWS Budgets is the only native service that monitors actual spend and triggers actions based on thresholds.
- Must be created per-account during the account provisioning workflow (e.g., via AWS Control Tower Account Factory or Lambda automation).
-
Option C (SCP for Service Restrictions):
- SCPs operate at the organization/OU level and apply blanket permission denials regardless of IAM policies.
- Perfect for preventing developers from launching cost-intensive services like
redshift:CreateClusterorsagemaker:CreateNotebookInstance. - Example SCP snippet:
{ "Effect": "Deny", "Action": [ "redshift:*", "sagemaker:*", "eks:CreateCluster" ], "Resource": "*" }
-
Option F (Budget Alert → SNS → Lambda):
- AWS Budgets cannot directly terminate resources (Option E is invalid).
- The correct pattern:
- Budget threshold triggers an SNS notification.
- SNS invokes a Lambda function.
- Lambda uses boto3 to terminate EC2 instances, delete RDS clusters, etc.
- This is the only exam-approved method for automated cost-driven resource termination.
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not Option A?
Critical Misconception: SCPs control permissions, not spending. You cannot write an SCP like"Deny if MonthlySpend > $500"—that’s not how SCPs work. They operate on API actions (e.g.,ec2:RunInstances), not cost metrics. -
Why not Option D?
Scope Mismatch: IAM policies are identity-based and applied to users/roles. In a multi-account organization:- You’d need to attach this policy to every developer role in every account—operationally unsustainable.
- SCPs are account-level guardrails and override IAM policies (defense in depth).
-
Why not Option E?
Feature Gap: AWS Budgets do not have a native “terminate all services” action. The service only supports:- SNS notifications
- Applying IAM/SCP policies (via AWS Service Catalog)
- Starting/stopping EC2/RDS instances (limited scope)
To “terminate all services,” you must use Lambda for custom orchestration (Option F).
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
A[Developer Requests Account] --> B[Account Factory Creates Account]
B --> C[Attach SCP: Deny High-Cost Services]
B --> D[Create AWS Budget: $500/month]
D --> E{Spend > $500?}
E -->|Yes| F[AWS Budgets Triggers SNS]
F --> G[SNS Invokes Lambda Function]
G --> H[Lambda Terminates EC2/RDS/ECS]
G --> I[Lambda Sends Slack Alert to DevOps]
E -->|No| J[Developer Continues Work]
style C fill:#FF6B6B,stroke:#C92A2A,color:#fff
style D fill:#4ECDC4,stroke:#0A9396,color:#fff
style G fill:#FFE66D,stroke:#F4A261,color:#000
Diagram Note: The SCP (red) acts as a preventive guardrail before resources are launched. The Budget + Lambda (yellow) is a reactive kill switch when costs spiral.
🔐 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons | FinOps Impact |
|---|---|---|---|---|---|
| B (AWS Budgets) | Low | $0.02/budget ($0.60/mo for 30 accounts) | Native AWS service; integrates with SNS/Lambda | Requires per-account setup; not preventive | ✅ Essential for spend tracking |
| C (SCP Deny) | Low | $0 | Org-wide enforcement; cannot be bypassed | Requires careful design to avoid blocking legitimate services | ✅ Preventive cost control |
| F (Budget → SNS → Lambda) | Medium | SNS: ~$0.50/mo; Lambda: $0.20/1000 invocations | Fully automated; customizable termination logic | Requires Lambda code maintenance; potential for over-termination | ✅ Automated cost cap enforcement |
| A (SCP for Budget) ❌ | N/A | N/A | ❌ Architecturally impossible | SCPs do not support cost-based conditions | ❌ Invalid approach |
| D (IAM Policy) ❌ | High | $0 | Granular control | Must be applied to every role in every account; SCPs override it anyway | ⚠️ Operationally unsustainable at scale |
| E (Budget Direct Termination) ❌ | N/A | N/A | ❌ Feature does not exist | AWS Budgets cannot natively terminate arbitrary services | ❌ Invalid approach |
Cost Quantification Example (100 Developer Accounts):
- Option B: 100 budgets × $0.02 = $2/month
- Option C: $0 (SCPs are free)
- Option F:
100 budget breaches/month × $0.0000002/SNS publish + 100 Lambda invocations × $0.0000002 = **$0.50/month**
Total Monthly Cost for Full Solution: ~$2.50/month (negligible compared to the $50,000 saved from preventing runaway spend).
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
- For SAP-C02: Always pick SCPs for organization-wide service denials and AWS Budgets + Lambda for cost-driven automation.
- Never assume SCPs can enforce spending limits (Option A is a red herring in 40% of Organizations questions).
Real World #
In production, we would layer additional controls:
- AWS Control Tower Guardrails: Use Detective guardrails (AWS Config rules) to flag accounts approaching 80% of budget before Lambda termination.
- Tagging Policies: Require
CostCenterandOwnertags on all resources to enable chargeback. - Service Quotas: Set hard limits (e.g., max 10
t3.mediuminstances per account) to prevent accidental over-provisioning. - Grace Period Logic: Modify the Lambda function to:
- Send a warning at 75% budget (don’t terminate yet).
- Only terminate at 100% budget after a 24-hour grace period.
- Preserve RDS snapshots and S3 data before deletion.
The Exam Simplifies This—in reality, you’d never terminate all services blindly. You’d preserve data, notify stakeholders, and potentially pause (not delete) resources.