AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Explanation:

The correct answer is C.

Why Option C is the best strategy

The company has these requirements:

Cost transparency across multiple accounts in AWS Organizations (dev + prod environments).
Mandatory tags (cost center number + project ID) on all current and future RDS instances and DynamoDB tables.
No unified tagging policy exists today.
Infrastructure is deployed via AWS CloudFormation with consistent tagging practices (this is a strong hint that enforcement should leverage IaC + governance controls).
Tags must appear in billing/cost allocation reports.

Key steps in C:

Use Tag Editor to retroactively apply the required tags (CostCenter and ProjectID, or similar keys) to existing RDS and DynamoDB resources. Tag Editor is the recommended centralized tool for bulk-tagging across resource types and accounts (especially useful when there's no prior unified policy).
Activate the tags as cost allocation tags in the AWS Billing console (under Cost Allocation Tags). This makes them usable in Cost Explorer, Cost and Usage Reports (CUR), etc., for cross-account billing transparency. Activation and reflection in billing data typically takes up to 24 hours.
Enforce for the future using Service Control Policies (SCPs) attached at the AWS Organizations root or OU level. SCPs can deny resource creation actions (e.g., rds:CreateDBInstance, dynamodb:CreateTable, and related CloudFormation actions) if the required tags are missing from the request (using the aws:RequestTag condition key with a Null check).

This combination provides:

Immediate remediation for existing resources (Tag Editor).
Billing activation for cost tracking.
Preventive guardrails for new resources (SCPs), ensuring compliance even if teams bypass CloudFormation or make manual changes.
Alignment with the mandate for consistent tagging in CloudFormation (SCPs work alongside IaC; modern Tag Policies can also help validate IaC templates, but SCPs are the direct enforcement mechanism mentioned).

SCPs are a standard preventive control in multi-account setups for tagging governance. They don't rely on ongoing remediation and scale across Organizations.

Why the other options fall short

Option A: Uses Tag Editor + cost allocation tags (good for existing + billing). However, it lacks any enforcement for future resources. New RDS/DynamoDB resources could still be created without the tags, violating the "all current and future" requirement and the management mandate. No preventive control.
Option B: Relies on AWS Config (for detection) + a centralized Lambda that runs hourly with cross-account IAM roles to auto-tag untagged resources. This is a reactive approach. It adds operational overhead (custom Lambda, scheduling, permissions management across accounts), potential race conditions, and doesn't prevent creation of untagged resources. The company already mandates CloudFormation with consistent tagging — a preventive policy (like in C) is more strategic and lower-maintenance than ongoing hourly remediation.
Option D: Defines cost allocation tags (good) and modifies federated roles (IAM policies) to restrict provisioning without tags. This can work in theory via IAM condition keys (aws:RequestTag), but:
- It only affects users/roles that assume those specific federated roles.
- It doesn't cover all possible creation paths (e.g., direct console access, other IAM users, service-linked roles, or certain CloudFormation behaviors).
- SCPs are the preferred, organization-wide way to enforce this across all accounts and principals in AWS Organizations. Modifying individual roles is less scalable and centralized.

Additional best practices (for your learning notes)

Tag Policies (in AWS Organizations) complement SCPs. They can enforce required tag keys/values and now integrate with IaC validation (CloudFormation Hooks, etc.) for even stronger consistency with the company's CloudFormation mandate.
For RDS and DynamoDB specifically, tags are fully supported, including cost allocation.
After tagging existing resources and activating cost allocation tags, monitor in Cost Explorer (grouped by tags) and AWS Organizations billing views.
Combine with AWS Config required-tags rule for ongoing compliance monitoring and alerts (but not as the primary enforcement).

This approach is proactive, scalable, aligns with AWS Well-Architected best practices for cost optimization and governance, and directly addresses the surge in RDS/DynamoDB costs through better allocation and prevention of untagged resources.

Explanation:

The correct answer is C.

Why Option C is the best strategy

The company has these requirements:

Cost transparency across multiple accounts in AWS Organizations (dev + prod environments).
Mandatory tags (cost center number + project ID) on all current and future RDS instances and DynamoDB tables.
No unified tagging policy exists today.
Infrastructure is deployed via AWS CloudFormation with consistent tagging practices (this is a strong hint that enforcement should leverage IaC + governance controls).
Tags must appear in billing/cost allocation reports.

Key steps in C:

Use Tag Editor to retroactively apply the required tags (CostCenter and ProjectID, or similar keys) to existing RDS and DynamoDB resources. Tag Editor is the recommended centralized tool for bulk-tagging across resource types and accounts (especially useful when there's no prior unified policy).
Activate the tags as cost allocation tags in the AWS Billing console (under Cost Allocation Tags). This makes them usable in Cost Explorer, Cost and Usage Reports (CUR), etc., for cross-account billing transparency. Activation and reflection in billing data typically takes up to 24 hours.
Enforce for the future using Service Control Policies (SCPs) attached at the AWS Organizations root or OU level. SCPs can deny resource creation actions (e.g., rds:CreateDBInstance, dynamodb:CreateTable, and related CloudFormation actions) if the required tags are missing from the request (using the aws:RequestTag condition key with a Null check).

This combination provides:

Immediate remediation for existing resources (Tag Editor).
Billing activation for cost tracking.
Preventive guardrails for new resources (SCPs), ensuring compliance even if teams bypass CloudFormation or make manual changes.
Alignment with the mandate for consistent tagging in CloudFormation (SCPs work alongside IaC; modern Tag Policies can also help validate IaC templates, but SCPs are the direct enforcement mechanism mentioned).

SCPs are a standard preventive control in multi-account setups for tagging governance. They don't rely on ongoing remediation and scale across Organizations.

Why the other options fall short

Option A: Uses Tag Editor + cost allocation tags (good for existing + billing). However, it lacks any enforcement for future resources. New RDS/DynamoDB resources could still be created without the tags, violating the "all current and future" requirement and the management mandate. No preventive control.
Option B: Relies on AWS Config (for detection) + a centralized Lambda that runs hourly with cross-account IAM roles to auto-tag untagged resources. This is a reactive approach. It adds operational overhead (custom Lambda, scheduling, permissions management across accounts), potential race conditions, and doesn't prevent creation of untagged resources. The company already mandates CloudFormation with consistent tagging — a preventive policy (like in C) is more strategic and lower-maintenance than ongoing hourly remediation.
Option D: Defines cost allocation tags (good) and modifies federated roles (IAM policies) to restrict provisioning without tags. This can work in theory via IAM condition keys (aws:RequestTag), but:
- It only affects users/roles that assume those specific federated roles.
- It doesn't cover all possible creation paths (e.g., direct console access, other IAM users, service-linked roles, or certain CloudFormation behaviors).
- SCPs are the preferred, organization-wide way to enforce this across all accounts and principals in AWS Organizations. Modifying individual roles is less scalable and centralized.

Additional best practices (for your learning notes)

Tag Policies (in AWS Organizations) complement SCPs. They can enforce required tag keys/values and now integrate with IaC validation (CloudFormation Hooks, etc.) for even stronger consistency with the company's CloudFormation mandate.
For RDS and DynamoDB specifically, tags are fully supported, including cost allocation.
After tagging existing resources and activating cost allocation tags, monitor in Cost Explorer (grouped by tags) and AWS Organizations billing views.
Combine with AWS Config required-tags rule for ongoing compliance monitoring and alerts (but not as the primary enforcement).

Comments (0)

No comments yet.

A solutions architect is planning to migrate critical Microsoft SQL Server databases to AWS. Because the databases are legacy systems,the solutions architect will move the databases to a modern data architecture.The solutions architect must migrate the databases with near-zero downtime. Which solution will meet these requirements?

Exam-Like

Last updated: April 14, 2026 at 13:11

Use AWS Application Migration Service and the AWS Schema Conversion Tool (AWS SCT). Perform an in-place upgrade before the migration. Export the migrated data to Amazon Aurora Serverless after cutover. Repoint the applications to Amazon Aurora

15.4%

Use AWS Databnse Migration Service (AWS DMS) to rehost the database. Set Amazon S3 as a target. Set up change data capture (CDC) replication When the source-and destination are fully synchronized, load the data from Amazon S3 into an Amazon RDS for Microsoft SQL Server DB instance

53.8%

Use native database high availability tools. Connect the source system to an Amazon RDS for Microsoft SQL Server DB instance. Configure replication accordingly. When data replication is finished, transition the workload to an Amazon RDS for Microsoft SQL Server DB instance