AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company created a new organization in AWS Organizations. The organization has multiple accounts for the company's development teams. The development team members use AWS IAM Identity Center (AWS Single Sign-On) to access the accounts. For each of the company's applications, the development teams must use a predefined application name to tag resources that are created.
A solutions architect needs to design a solution that gives the development team the ability to create resources only if the application name tag has an approved value.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.
B
Create a cross-account role that has a Deny policy for any resource that has the application name tag.
C
Create a resource group in AWS Resource Groups to validate that the tags are applied to all resources in all accounts.
D
Create a tag policy in Organizations that has a list of allowed application names.
Explanation:
Explanation
Correct Answer: D - Create a tag policy in Organizations that has a list of allowed application names.
Why this is correct:
- AWS Organizations Tag Policies are specifically designed for this use case. They allow you to enforce tagging standards across all accounts in your organization.
- Tag policies can define allowed values for specific tags (like
application name), ensuring that only predefined values are used. - Enforcement mechanism: When a tag policy is violated, AWS will prevent the creation or modification of resources with non-compliant tags.
- Organization-wide scope: Since the company has multiple accounts in AWS Organizations, tag policies can be applied at the organization level, ensuring consistent enforcement across all development team accounts.
Why other options are incorrect:
A. Create an IAM group that has a conditional Allow policy
- IAM policies can enforce tagging requirements, but this would need to be implemented in every account separately.
- This approach doesn't scale well across multiple accounts and requires manual management in each account.
- While technically possible with IAM policies, it's not the most efficient or scalable solution for an organization with multiple accounts.
B. Create a cross-account role that has a Deny policy
- A Deny policy for resources with the application name tag would actually prevent resources from being created with ANY application name tag, which is the opposite of what's needed.
- The requirement is to ALLOW creation only with APPROVED values, not to DENY all tagged resources.
C. Create a resource group in AWS Resource Groups
- Resource Groups are for organizing and viewing resources based on tags, not for enforcing tagging policies.
- Resource Groups don't prevent resource creation with non-compliant tags; they only help you find resources that already have specific tags.
- This is a monitoring/reporting tool, not an enforcement mechanism.
Key AWS Services for Tag Governance:
- AWS Organizations Tag Policies - For enforcing tag standards across accounts
- AWS Config Rules - For detecting non-compliant resources (but not preventing creation)
- Service Control Policies (SCPs) - Can also enforce tagging but are more complex for this specific use case
Best Practice: For organization-wide tag enforcement with predefined allowed values, AWS Organizations Tag Policies are the recommended solution as they provide centralized management and enforcement across all member accounts.
Comments
Loading comments...