Logo
AWS Certified Solutions Architect - Professional / Question #893 of 529

Question #893

A company uses AWS Organizations to manage multiple AWS accounts. Each business unit deploys applications on Amazon RDS instances. All RDS instances must have an Environment tag to track resources by environment. An audit found instances missing this tag, which were manually corrected. What should a solutions architect do to enforce the tagging requirement moving forward?

A

Enable tag policies in the organization. Create a tag policy for the Environment tag. Disable compliance with tag key capitalization. Apply the tag policy to the rds:db resource type. Attach the policy to the organization's root.
B

Enable tag policies in the organization. Create a tag policy for the Environment tag. Enable compliance with tag key capitalization. Apply the tag policy to the rds:db resource type. Attach the policy to the management account.
C

Create an SCP and attach it to the organization's root. Include the statement:\n\njson\n{\n \"Sid\": \"DenyRDSCreation\",\n \"Effect\": \"Deny\",\n \"Action\": [\"rds:CreateDBInstance\"],\n \"Resource\": \"arn:aws:rds:*:*:db:*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/Environment\": \"true\"\n }\n }\n}\n
D

Create an SCP and attach it to the management account. Include the statement:\n\njson\n{\n \"Sid\": \"DenyRDSCreation\",\n \"Effect\": \"Deny\",\n \"Action\": [\"rds:CreateDBInstance\"],\n \"Resource\": \"arn:aws:rds:*:*:db:*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/Environment\": \"false\"\n }\n }\n}\n

Explanation

Option C is correct because:
1. SCP Enforcement: Service Control Policies (SCPs) can proactively deny actions unless specific conditions (like required tags) are met. This prevents RDS instances from being created without the Environment tag.
2. Condition Logic: The SCP uses "Null": {"aws:RequestTag/Environment": "true"} to check if the tag is missing during creation, ensuring the tag is mandatory.
3. Scope: Attaching the SCP to the organization's root ensures it applies to all member accounts.

Why other options are incorrect:
- A/B: Tag policies only report non-compliance post-creation; they don't block resource creation.
- D: Uses an incorrect condition ("false") and attaches the SCP to the management account instead of the root, limiting its scope.

Key Takeaway: Use SCPs with explicit Deny rules and correct conditions to enforce mandatory tags at resource creation.

Answer

The correct answer is: C