AWS Certified SysOps Administrator – Associate (legacy) — Question 848

A company's AWS account users are launching Amazon EC2 instances without required cost allocation tags. A SysOps administrator needs to prevent users within an organization in AWS Organizations from launching new EC2 instances that do not have the required tags. The solution must require the least possible operational overhead.
Which solution meets these requirements?

Answer options

• A. Set up an AWS Lambda function that will initiate a run instance event and check for the required tags. Configure the function to prevent the launch of EC2 instances if the tags are missing.
• B. Set up an AWS Config rule to monitor for EC2 instances that lack the required tags.
• C. Set up a service control policy (SCP) that prevents the launch of EC2 instances that lack the required tags. Attach the SCP to the organization root.
• D. Set up an Amazon CloudWatch alarm to stop any EC2 instances that lack the required tags.

Correct answer: C

Explanation

Implementing a service control policy (SCP) at the AWS Organizations root level is the most operationally efficient way to enforce tagging policies and prevent the creation of non-compliant resources. Other options like AWS Config and CloudWatch alarms only detect or remediate issues after the instances are already launched, while an AWS Lambda solution requires custom development and maintenance, increasing operational overhead.