A company is designing the architecture for a new mobile app that uses the AWS Cloud. The…

Question

A company is designing the architecture for a new mobile app that uses the AWS Cloud. The company uses organizational units (OUs) in AWS Organizations to manage its accounts. The company wants to tag Amazon EC2 instances with data sensitivity by using values of sensitive and nonsensitive. IAM identities must not be able to delete a tag or create instances without a tag. Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: A, D. A. In Organizations, create a new tag policy that specifies the data sensitivity tag key and the required values. Enforce the tag values for the EC2 instances. Attach the tag policy to the appropriate OU. — D. Create a service control policy (SCP) to deny creating instances when a tag key is not specified. Create another SCP that prevents identities from deleting tags. Attach the SCPs to the appropriate OU. — Tag policies in AWS Organizations are designed to standardize tags across resources, ensuring correct capitalization and allowed values (such as 'sensitive' and 'nonsensitive'), which satisfies the first requirement. However, tag policies cannot prevent actions like launching untagged resources or deleting tags; for preventative enforcement, Service Control Policies (SCPs) must be used to deny the RunInstances API call when the tag is missing and deny the DeleteTags API call.

AWS Certified Solutions Architect – Associate (SAA-C03) — Question 946

Answer options

Correct answer: A, D

Explanation