AWS Certified Solutions Architect – Professional — Question 756

A company is developing and hosting several projects in the AWS Cloud. The projects are developed across multiple AWS accounts under the same organization in AWS Organizations. The company requires the cost for cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking the Project tag used for cost allocation.

Which actions should a solutions architect take to resolve the problem and prevent it from happening in the future? (Choose three.)

Answer options

• A. Create an AWS Config rule in each account to find resources with missing tags.
• B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is missing.
• C. Use Amazon Inspector in the organization to find resources with missing tags.
• D. Create an IAM policy in each account with a deny action for ec2:Runlnstances if the Project tag is missing.
• E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.
• F. Use AWS Security Hub to aggregate a list of EC2 instances with the missing Project tag.

Correct answer: A, B, E

Explanation

To detect existing non-compliant resources, deploying an AWS Config rule in each account combined with an organization-wide AWS Config aggregator provides a centralized view of all EC2 instances missing the Project tag. To prevent future untagged instances, a Service Control Policy (SCP) at the organization level offers a robust, centralized guardrail that enforces tag presence during instance creation. Other services like Amazon Inspector and AWS Security Hub are designed for security vulnerability assessments and posture management, not for tracking custom resource tag compliance.