AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Implement a tag policy with the allowed project tag values in the organization's management account. Additionally, create a Service Control Policy (SCP) that restricts the cloudformation:CreateStack API operation unless a project tag is included. Apply this SCP to each Organizational Unit (OU).

Option A is the correct answer because it suggests creating a tag policy in the organization's management account, which is the only place where tag policies can be created according to AWS best practices. Additionally, it recommends creating a Service Control Policy (SCP) to enforce project tag compliance by denying the cloudformation:CreateStack API operation unless a project tag is included. This solution ensures that all new resources are compliant with the predefined project tag values with minimal effort. Although attaching the SCP to each OU is mentioned, it is implied that you could also attach it to the Root OU to cover all child OUs, thereby simplifying the enforcement process further.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company utilizes AWS Organizations to manage its AWS accounts and employs AWS CloudFormation for infrastructure deployment. The finance team aims to develop a chargeback model and has requested each business unit to tag resources with a specific set of project values. Upon using the AWS Cost and Usage Report in AWS Cost Explorer to filter by project, the finance team identified noncompliant project values. The company seeks to enforce the use of compliant project tags for new resources with minimal effort. Which solution best meets these requirements?

Exam-Like

Implement a tag policy with the allowed project tag values in the organization's management account. Additionally, create a Service Control Policy (SCP) that restricts the cloudformation:CreateStack API operation unless a project tag is included. Apply this SCP to each Organizational Unit (OU).

42.9%

Establish a tag policy with the allowed project tag values within each OU. Furthermore, devise an SCP that prohibits the cloudformation:CreateStack API operation without a project tag. Attach this SCP to each OU.

28.6%

Develop a tag policy with the allowed project tag values in the AWS management account. Also, create an IAM policy that denies the cloudformation:CreateStack API operation if a project tag is not present. Assign this policy to all users.

14.3%

Leverage AWS Service Catalog to manage CloudFormation stacks as products. Utilize a TagOptions library to regulate project tag values and share the portfolio across all OUs within the organization.