AWS Certified SysOps Administrator – Associate (legacy) — Question 746

A company's audit shows that users have been changing cost-related tags on Amazon EC2 instances after deployment. The company has an organization in
AWS Organizations with many AWS accounts.
The company needs a solution to detect the EC2 instances automatically. The solution must require the least possible operational overhead.
Which solution meets these requirements?

Answer options

• A. Use service control policies (SCPs) to track EC2 instances that do not have the required tags.
• B. Use Amazon Inspector to run a report to identify EC2 instances that do not have the required tags.
• C. Use an AWS Config rule to track EC2 instances that do not have the required tags.
• D. Use AWS Well-Architected Tool (AWS WA Tool) to run a report to identify EC2 instances that do not have the required tags.

Correct answer: A

Explanation

Service control policies (SCPs) in AWS Organizations enable centralized management and enforcement of policies across multiple AWS accounts, making them the most operationally efficient way to track and control unauthorized tag changes. Other options like Amazon Inspector, AWS Config, or the AWS Well-Architected Tool either require significant multi-account configuration overhead or are not designed to dynamically track and restrict tag compliance at the organization level.