AWS Certified Solutions Architect – Professional (SAP-C02) — Question 267

A company is designing an AWS Organizations structure. The company wants to standardize a process to apply tags across the entire organization. The company will require tags with specific values when a user creates a new resource. Each of the company's OUs will have unique tag values.

Which solution will meet these requirements?

Answer options

• A. Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the OUs.
• B. Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the organization's management account.
• C. Use an SCP to allow the creation of resources only when the resources have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the OUs.
• D. Use an SCP to deny the creation of resources that do not have the required tags. Define the list of tags. Attach the SCP to the OUs.

Correct answer: A

Explanation

To enforce tagging requirements, a Service Control Policy (SCP) must be used with a 'Deny' effect to block resource creation when the specified tags are missing, as an explicit deny is the most reliable enforcement method. Since each Organizational Unit (OU) requires unique tag values, the corresponding tag policies must be attached directly to individual OUs rather than the management account. Tag policies define the acceptable values for tags, ensuring compliance across the different OUs.