AWS Certified Solutions Architect – Associate (SAA-C03) — Question 620
A company maintains an Amazon RDS database that maps users to cost centers. The company has accounts in an organization in AWS Organizations. The company needs a solution that will tag all resources that are created in a specific AWS account in the organization. The solution must tag each resource with the cost center ID of the user who created the resource.
Which solution will meet these requirements?
Answer options
- A. Move the specific AWS account to a new organizational unit (OU) in Organizations from the management account. Create a service control policy (SCP) that requires all existing resources to have the correct cost center tag before the resources are created. Apply the SCP to the new OU.
- B. Create an AWS Lambda function to tag the resources after the Lambda function looks up the appropriate cost center from the RDS database. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function.
- C. Create an AWS CloudFormation stack to deploy an AWS Lambda function. Configure the Lambda function to look up the appropriate cost center from the RDS database and to tag resources. Create an Amazon EventBridge scheduled rule to invoke the CloudFormation stack.
- D. Create an AWS Lambda function to tag the resources with a default value. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function when a resource is missing the cost center tag.
Correct answer: B
Explanation
Option B is correct because AWS CloudTrail captures API calls for resource creation, which can trigger an Amazon EventBridge rule in near real-time to invoke an AWS Lambda function. This Lambda function can extract the creator's identity, query the Amazon RDS database for the corresponding cost center, and tag the resource. Option A is incorrect because Service Control Policies (SCPs) cannot query external databases to dynamically apply tags. Options C and D are incorrect because scheduled rules do not provide real-time tagging, and using a default value fails to meet the requirement of tagging with the specific user's cost center.