Learn how to enforce the use of project tags in AWS Organizations using Service Control Policies. Ensure compliance and simplify chargeback with effective resource tagging.
Table of Contents
Question
A company uses an organization in AWS Organizations to manage the company’s AWS accounts. The company uses AWS CloudFormation to deploy all infrastructure. A finance team wants to build a chargeback model. The finance team asked each business unit to tag resources by using a predefined list of project values.
When the finance team used the AWS Cost and Usage Report in AWS Cost Explorer and filtered based on project, the team noticed noncompliant project values. The company wants to enforce the use of project tags for new resources.
Which solution will meet these requirements with the LEAST effort?
A. Create a tag policy that contains the allowed project tag values in the organization’s management account. Create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. Attach the SCP to each OU.
B. Create a tag policy that contains the allowed project tag values in each OU. Create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. Attach the SCP to each OU.
C. Create a tag policy that contains the allowed project tag values in the AWS management account. Create an IAM policy that denies the cloudformation:CreateStack API operation unless a project tag is added. Assign the policy to each user.
D. Use AWS Service Catalog to manage the CloudFormation stacks as products. Use a TagOptions library to control project tag values. Share the portfolio with all OUs that are in the organization.
Answer
A. Create a tag policy that contains the allowed project tag values in the organization’s management account. Create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. Attach the SCP to each OU.
Explanation
This solution meets the requirements because it enforces the use of project tags for new resources with the least effort. By creating a tag policy in the organization’s management account, you can define the allowed project tag values for all accounts in the organization.
The SCP (Service Control Policy) denies the creation of a CloudFormation stack unless a project tag is added, ensuring that all new resources are appropriately tagged. Attaching the SCP to each OU (Organizational Unit) applies this policy to all accounts in those OUs.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.