Logo
AWS Certified Solutions Architect - Professional / Question #811 of 529

Question #811

A multinational corporation has encountered audit findings due to inconsistent tagging of AWS resources, leading to challenges in tracking costs for Amazon RDS and DynamoDB across multiple AWS Organizations accounts. The organization mandates that all infrastructure is deployed via AWS CloudFormation with standardized tags, but existing resources lack required cost center and project ID tags. Management requires immediate remediation for existing resources and enforcement of tagging policies for future deployments.

Which solution will ensure compliance with tagging requirements for both existing and new resources?

A

Use AWS Resource Groups to identify untagged resources. Create cost allocation tags for cost center and project ID, then use AWS Lambda to retroactively tag resources. Rely on CloudFormation stack policies to enforce tagging for new resources.
B

Deploy AWS Organizations tag policies to enforce tagging standards. Use AWS Config to remediate non-compliant existing resources and apply cost allocation tags. Allow 48 hours for tags to appear in cost reports.
C

Use Tag Editor to apply missing tags to existing resources. Create cost allocation tags for cost center and project ID. Implement SCPs to block resource creation without required tags across all accounts.
D

Enable AWS Cost Explorer to analyze untagged resources. Create a cross-account IAM role to tag existing resources via CLI. Modify CloudFormation templates to include tags and enforce via code reviews.

Explanation

The correct answer is C because it directly addresses both remediation of existing resources and enforcement for future deployments. Tag Editor allows immediate tagging of existing resources, ensuring compliance for audit findings. Creating cost allocation tags ensures these tags appear in cost reports. Service Control Policies (SCPs) prevent the creation of new resources without required tags, enforcing future compliance across all accounts.

Other options are incorrect because:
- A: CloudFormation stack policies do not enforce tagging; they prevent resource updates.
- B: AWS Organizations tag policies only report non-compliance and do not block resource creation. AWS Config remediation requires setup time, which may delay immediate action.
- D: Manual CLI tagging and code reviews are less reliable than SCPs for enforcement.

Key Points:
1. Use Tag Editor for quick remediation of existing resources.
2. SCPs enforce tagging policies proactively.
3. Cost allocation tags must be activated for cost tracking.

Answer

The correct answer is: C