Answer-first summary for fast verification
Answer: Create a tag policy in Organizations that has a list of allowed application names.
## Explanation **Correct Answer: D** - Create a tag policy in Organizations that has a list of allowed application names. **Why this is correct:** 1. **AWS Organizations Tag Policies** are specifically designed for this use case. They allow you to enforce tagging standards across all accounts in your organization. 2. **Tag policies** can define allowed values for specific tags (like `application name`), ensuring that only predefined values are used. 3. **Enforcement mechanism**: When a tag policy is violated, AWS will prevent the creation or modification of resources with non-compliant tags. 4. **Organization-wide scope**: Since the company has multiple accounts in AWS Organizations, tag policies can be applied at the organization level, ensuring consistent enforcement across all development team accounts. **Why other options are incorrect:** **A. Create an IAM group that has a conditional Allow policy** - IAM policies can enforce tagging requirements, but this would need to be implemented in every account separately. - This approach doesn't scale well across multiple accounts and requires manual management in each account. - While technically possible with IAM policies, it's not the most efficient or scalable solution for an organization with multiple accounts. **B. Create a cross-account role that has a Deny policy** - A Deny policy for resources with the application name tag would actually prevent resources from being created with ANY application name tag, which is the opposite of what's needed. - The requirement is to ALLOW creation only with APPROVED values, not to DENY all tagged resources. **C. Create a resource group in AWS Resource Groups** - Resource Groups are for organizing and viewing resources based on tags, not for enforcing tagging policies. - Resource Groups don't prevent resource creation with non-compliant tags; they only help you find resources that already have specific tags. - This is a monitoring/reporting tool, not an enforcement mechanism. **Key AWS Services for Tag Governance:** 1. **AWS Organizations Tag Policies** - For enforcing tag standards across accounts 2. **AWS Config Rules** - For detecting non-compliant resources (but not preventing creation) 3. **Service Control Policies (SCPs)** - Can also enforce tagging but are more complex for this specific use case **Best Practice:** For organization-wide tag enforcement with predefined allowed values, AWS Organizations Tag Policies are the recommended solution as they provide centralized management and enforcement across all member accounts.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company created a new organization in AWS Organizations. The organization has multiple accounts for the company's development teams. The development team members use AWS IAM Identity Center (AWS Single Sign-On) to access the accounts. For each of the company's applications, the development teams must use a predefined application name to tag resources that are created.
A solutions architect needs to design a solution that gives the development team the ability to create resources only if the application name tag has an approved value.
Which solution will meet these requirements?
A
Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.
B
Create a cross-account role that has a Deny policy for any resource that has the application name tag.
C
Create a resource group in AWS Resource Groups to validate that the tags are applied to all resources in all accounts.
D
Create a tag policy in Organizations that has a list of allowed application names.