SAP-C02 Question #503: Real Exam Question with Answer & Explanation

Question

A company is designing an AWS Organizations structure. The company wants to standardize a process to apply tags across the entire organization. The company will require tags with specific values when a user creates a new resource. Each of the company's OUs will have unique tag values. Which solution will meet these requirements?

Options

• AUse an SCP to deny the creation of resources that do not have the required tags. Create a tag
• BUse an SCP to deny the creation of resources that do not have the required tags. Create a tag
• CUse an SCP to allow the creation of resources only when the resources have the required tags.
• DUse an SCP to deny the creation of resources that do not have the required tags. Define the list

Explanation

To standardize and enforce required tags with specific, OU-unique values during resource creation across an AWS Organization, use an SCP to deny untagged resource creation and a Tag Policy to define the allowed tag values for each OU.

Common mistakes.

• B. This choice is structurally identical to A; however, A is specified as the correct answer, implying B is not the selected choice.
• C. AWS Config rules are primarily used for auditing resource configurations and tags after resources are created, meaning they cannot prevent resource creation if tags are missing or incorrect, which is a key requirement.
• D. While IAM policies can use condition keys for tags, this approach is less scalable and harder to manage centrally across an entire organization compared to using AWS Organizations Tag Policies, which are specifically designed for organization-wide tag governance.

Concept tested. Tag governance, AWS Organizations SCPs, Tag Policies

Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html

No community discussion yet for this question.