AWS Certified Solutions Architect - Professional / Question #765 of 529

Question #765

A company is restructuring its AWS Organizations setup to enforce consistent tagging practices. The company needs to mandate specific tag keys with predefined values for all new resources, with each OU having distinct allowed values. Which approach ensures resources are created only with the required tags and OU-specific values?

A

Use an SCP to block resource creation unless the required tags are present. Create tag policies specifying the allowed values for each OU. Attach the tag policies to the corresponding OUs.

B

Use an SCP to block resource creation unless the required tags are present. Create tag policies specifying the allowed values for each OU. Attach the tag policies to the organization's root.

C

Use an SCP to permit resource creation only when the required tags are present. Create tag policies specifying the allowed values for each OU. Attach the tag policies to the corresponding OUs.

D

Use an SCP to block resource creation unless the required tags are present. Define the allowed tag values directly in the SCP. Attach the SCP to the OUs.

Explanation

The correct answer is A because:
1. SCPs block resource creation unless required tags are present, enforcing tag existence.
2. Tag Policies (attached to OUs) specify allowed values for each OU, ensuring OU-specific values.

Why other options are incorrect:
- B: Tag policies attached to the root cannot enforce OU-specific values.
- C: SCPs cannot validate tag values; they only enforce presence. Tag policies handle values.
- D: SCPs are not designed to manage allowed tag values; tag policies are the proper tool.

Key Points:
- Use SCPs to enforce tag presence.
- Use OU-specific tag policies for allowed values.
- Tag policies inherit from higher levels but can be overridden at OU levels.

Answer

The correct answer is: A