AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is running its production and nonproduction environment workloads in multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to design a solution that will prevent the modification of cost usage tags.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create a custom AWS Config rule to prevent tag modification except by authorized principals.
B
Create a custom trail in AWS CloudTrail to prevent tag modification.
C
Create a service control policy (SCP) to prevent tag modification except by authorized principals.
D
Create custom Amazon CloudWatch logs to prevent tag modification.
Explanation:
Explanation
Correct Answer: C - Create a service control policy (SCP) to prevent tag modification except by authorized principals.
Why this is correct:
-
SCPs are designed for organizational control: Service Control Policies (SCPs) are specifically designed to manage permissions across multiple AWS accounts within an AWS Organizations structure. They act as guardrails that define the maximum permissions for accounts in the organization.
-
Preventive control: SCPs can prevent actions before they happen, which is exactly what's needed to "prevent the modification of cost usage tags." SCPs can deny specific actions like
ec2:CreateTags,ec2:DeleteTags, orec2:ModifyTagsfor unauthorized principals. -
Organization-wide enforcement: Since the company has multiple AWS accounts in an organization, SCPs can be applied at the organization, organizational unit (OU), or individual account level to enforce consistent policies across all accounts.
Why other options are incorrect:
-
A (AWS Config rule): AWS Config rules are detective controls, not preventive. They can detect when tags have been modified after the fact, but cannot prevent the modification from occurring.
-
B (AWS CloudTrail trail): CloudTrail is an auditing/logging service that records API calls. It can log when tag modifications occur, but cannot prevent them from happening.
-
D (Amazon CloudWatch logs): CloudWatch is a monitoring and observability service. It can collect and analyze logs, but cannot prevent actions from occurring.
Key AWS Concepts:
- Service Control Policies (SCPs): Centralized permission management for AWS Organizations
- Preventive vs Detective Controls: SCPs are preventive, while Config/CloudTrail are detective
- Tag Management: Tags are key-value pairs used for cost allocation, resource management, and organization
Best Practice: When you need to enforce organizational policies across multiple AWS accounts, SCPs are the appropriate tool for establishing guardrails and preventing unauthorized actions.
Comments
Loading comments...