AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: A

Why Option A is correct:

1. AWS Organizations with tagged resources: The company already uses AWS Organizations and tags resources by account. This provides a structured way to identify resources.
2. AWS Config for compliance: AWS Config can be used to identify resources that don't have required tags (untagged resources).
3. Programmatic tagging: Once untagged resources are identified, they can be tagged programmatically using AWS Lambda or other automation tools.
4. Tag-based backup plans: AWS Backup supports tag-based selection, allowing backup plans to automatically include all resources with specific tags.
5. Least operational overhead: This approach automates the entire process - identifying untagged resources, tagging them, and including them in backups - minimizing manual intervention.

Why other options are incorrect:

Option B: AWS Config can identify resources that are not running, but this doesn't address the requirement to back up ALL AWS resources. Some resources might be stopped but still need backup, and running resources also need backup.

Option C: Requiring manual review by account owners creates significant operational overhead and is prone to human error, making it the opposite of "least operational overhead."

Option D: Amazon Inspector is a security vulnerability assessment service, not designed for identifying resources for backup. It focuses on security compliance, not resource inventory management.

Key AWS Services Involved:

• AWS Organizations: For multi-account management
• AWS Config: For resource inventory and compliance checking
• AWS Backup: For centralized backup management
• Tags: For resource categorization and selection

This solution provides a scalable, automated approach that leverages existing tagging practices and minimizes manual effort while ensuring comprehensive backup coverage.