AWS Certified Solutions Architect – Associate (SAA-C03) — Question 431

A company is running its production and nonproduction environment workloads in multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to design a solution that will prevent the modification of cost usage tags.

Which solution will meet these requirements?

Answer options

• A. Create a custom AWS Config rule to prevent tag modification except by authorized principals.
• B. Create a custom trail in AWS CloudTrail to prevent tag modification.
• C. Create a service control policy (SCP) to prevent tag modification except by authorized principals.
• D. Create custom Amazon CloudWatch logs to prevent tag modification.

Correct answer: C

Explanation

A service control policy (SCP) in AWS Organizations allows administrators to centrally manage permissions and define guardrails that prevent unauthorized actions, such as modifying cost allocation tags, across multiple accounts. AWS Config can detect and flag non-compliant resources, but it cannot actively block modification actions. AWS CloudTrail and Amazon CloudWatch are auditing and monitoring tools, respectively, and lack the capability to enforce preventive access controls.