AWS Certified Solutions Architect – Associate (SAA-C03) — Question 625

A company created a new organization in AWS Organizations. The organization has multiple accounts for the company's development teams. The development team members use AWS IAM Identity Center (AWS Single Sign-On) to access the accounts. For each of the company's applications, the development teams must use a predefined application name to tag resources that are created.

A solutions architect needs to design a solution that gives the development team the ability to create resources only if the application name tag has an approved value.

Which solution will meet these requirements?

Answer options

• A. Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.
• B. Create a cross-account role that has a Deny policy for any resource that has the application name tag.
• C. Create a resource group in AWS Resource Groups to validate that the tags are applied to all resources in all accounts.
• D. Create a tag policy in Organizations that has a list of allowed application names.

Correct answer: D

Explanation

Tag policies in AWS Organizations allow you to define rules about how tags can be used on AWS resources in your organization's accounts, including specifying a list of allowed values for specific tags. This ensures that resources can only be created or modified if they comply with the tag policy's defined values. IAM policies, cross-account roles, and AWS Resource Groups do not provide a centralized, organization-wide mechanism to strictly enforce valid tag values at the resource creation level.