AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Explanation:

Explanation

Correct Answer: D - Create a tag policy in Organizations that has a list of allowed application names.

Why this is correct:

AWS Organizations Tag Policies are specifically designed for this use case. They allow you to enforce tagging standards across all accounts in your organization.
Tag policies can define allowed values for specific tags (like application name), ensuring that only predefined values are used.
Enforcement mechanism: When a tag policy is violated, AWS will prevent the creation or modification of resources with non-compliant tags.
Organization-wide scope: Since the company has multiple accounts in AWS Organizations, tag policies can be applied at the organization level, ensuring consistent enforcement across all development team accounts.

Why other options are incorrect:

A. Create an IAM group that has a conditional Allow policy

IAM policies can enforce tagging requirements, but this would need to be implemented in every account separately.
This approach doesn't scale well across multiple accounts and requires manual management in each account.
While technically possible with IAM policies, it's not the most efficient or scalable solution for an organization with multiple accounts.

B. Create a cross-account role that has a Deny policy

A Deny policy for resources with the application name tag would actually prevent resources from being created with ANY application name tag, which is the opposite of what's needed.
The requirement is to ALLOW creation only with APPROVED values, not to DENY all tagged resources.

C. Create a resource group in AWS Resource Groups

Resource Groups are for organizing and viewing resources based on tags, not for enforcing tagging policies.
Resource Groups don't prevent resource creation with non-compliant tags; they only help you find resources that already have specific tags.
This is a monitoring/reporting tool, not an enforcement mechanism.

Key AWS Services for Tag Governance:

AWS Organizations Tag Policies - For enforcing tag standards across accounts
AWS Config Rules - For detecting non-compliant resources (but not preventing creation)
Service Control Policies (SCPs) - Can also enforce tagging but are more complex for this specific use case

Best Practice: For organization-wide tag enforcement with predefined allowed values, AWS Organizations Tag Policies are the recommended solution as they provide centralized management and enforcement across all member accounts.

Explanation:

Explanation

Correct Answer: D - Create a tag policy in Organizations that has a list of allowed application names.

Why this is correct:

AWS Organizations Tag Policies are specifically designed for this use case. They allow you to enforce tagging standards across all accounts in your organization.
Tag policies can define allowed values for specific tags (like application name), ensuring that only predefined values are used.
Enforcement mechanism: When a tag policy is violated, AWS will prevent the creation or modification of resources with non-compliant tags.
Organization-wide scope: Since the company has multiple accounts in AWS Organizations, tag policies can be applied at the organization level, ensuring consistent enforcement across all development team accounts.

Why other options are incorrect:

A. Create an IAM group that has a conditional Allow policy

IAM policies can enforce tagging requirements, but this would need to be implemented in every account separately.
This approach doesn't scale well across multiple accounts and requires manual management in each account.
While technically possible with IAM policies, it's not the most efficient or scalable solution for an organization with multiple accounts.

B. Create a cross-account role that has a Deny policy

A Deny policy for resources with the application name tag would actually prevent resources from being created with ANY application name tag, which is the opposite of what's needed.
The requirement is to ALLOW creation only with APPROVED values, not to DENY all tagged resources.

C. Create a resource group in AWS Resource Groups

Resource Groups are for organizing and viewing resources based on tags, not for enforcing tagging policies.
Resource Groups don't prevent resource creation with non-compliant tags; they only help you find resources that already have specific tags.
This is a monitoring/reporting tool, not an enforcement mechanism.

Key AWS Services for Tag Governance:

AWS Organizations Tag Policies - For enforcing tag standards across accounts
AWS Config Rules - For detecting non-compliant resources (but not preventing creation)
Service Control Policies (SCPs) - Can also enforce tagging but are more complex for this specific use case

Comments (0)

No comments yet.

A company created a new organization in AWS Organizations. The organization has multiple accounts for the company's development teams. The development team members use AWS IAM Identity Center (AWS Single Sign-On) to access the accounts. For each of the company's applications, the development teams must use a predefined application name to tag resources that are created.

A solutions architect needs to design a solution that gives the development team the ability to create resources only if the application name tag has an approved value.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.

Create a cross-account role that has a Deny policy for any resource that has the application name tag.