AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
A company utilizes AWS Organizations to manage its AWS accounts and employs AWS CloudFormation for infrastructure deployment. The finance team aims to develop a chargeback model and has requested each business unit to tag resources with a specific set of project values. Upon using the AWS Cost and Usage Report in AWS Cost Explorer to filter by project, the finance team identified noncompliant project values. The company seeks to enforce the use of compliant project tags for new resources with minimal effort. Which solution best meets these requirements?
A company utilizes AWS Organizations to manage its AWS accounts and employs AWS CloudFormation for infrastructure deployment. The finance team aims to develop a chargeback model and has requested each business unit to tag resources with a specific set of project values. Upon using the AWS Cost and Usage Report in AWS Cost Explorer to filter by project, the finance team identified noncompliant project values. The company seeks to enforce the use of compliant project tags for new resources with minimal effort. Which solution best meets these requirements?
Explanation:
Option A is the correct answer because it suggests creating a tag policy in the organization's management account, which is the only place where tag policies can be created according to AWS best practices. Additionally, it recommends creating a Service Control Policy (SCP) to enforce project tag compliance by denying the cloudformation:CreateStack API operation unless a project tag is included. This solution ensures that all new resources are compliant with the predefined project tag values with minimal effort. Although attaching the SCP to each OU is mentioned, it is implied that you could also attach it to the Root OU to cover all child OUs, thereby simplifying the enforcement process further.