A company is managing many AWS accounts by using an organization in AWS Organizations. Different business units in the company run applications on Amazon EC2 instances. All the EC2 instances must have a BusinessUnit tag so that the company can track the cost for each business unit.
A recent audit revealed that some instances were missing this tag. The company manually added the missing tag to the instances.
What should a solutions architect do to enforce the tagging requirement in the future?
To enforce that all EC2 instances are tagged with the BusinessUnit tag, you should create a Service Control Policy (SCP) and attach it to the root of the organization. This policy should include a rule that denies the creation of EC2 instances if the BusinessUnit tag is missing. Tag policies alone will not prevent the creation of resources without tags; instead, they help ensure that tags have the correct key values. SCPs, on the other hand, can enforce the tagging requirement by preventing the instantiation of resources that do not meet the tagging criteria. Hence, the correct approach involves using an SCP with the appropriate condition to deny EC2 instance creation when the required tag is not present.
Answer is C. To those that are getting confused between a Management Account vs Root of the Organisation here is my two pennies: Management Account is where you create accounts, management payments, create organisation, etc. Root of Organisation is where you apply the policies See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
You apply SCP in root account and tag policy in management account, but I think crucial issue here is to "enforce the tagging requirement in the future", only SCP can do that. https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ "SCPs can be used along-side tag policies to ensure that the tags are applied at the resource creation time and remain attached to the resource." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html "When you sign in to the organization's management account, you use Organizations to enable the tag policies feature. [...] in the organization's management account. Then you can create tag policies and attach them to the organization entities to put those tagging rules in effect. "
From repost: * Use tag policies to prevent tagging on existing resources * Use SCPs to prevent tagging for creating new resources https://repost.aws/knowledge-center/organizations-scp-tag-policies What should a solutions architect do to enforce the tagging requirement in the future? You can use SCPs to prevent the creation of new AWS resources that aren't tagged for your Organization’s tagging restriction guidelines. To make sure that the AWS resources are created only if a certain tag is present, use the example SCP policy to require a tag on specified created resources: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html#example-require-tag-on-create
Looks like I can't post json code here, so follow the last link to find the policy
For me it's C. Here we have to note that when the AWS Organization Units are mentioned, for the most we need to use SCP or RAM at the exams. Just little tips. A part of this, C seems most correct answer in my point of view :)
The correct answer is A.
Use AWS Organizations to manage tag policies. When you sign in to the organization's management account, you use Organizations to enable the tag policies feature. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
Tag Policy only enforces the accepted value of a tag, and not its presence. Therefore, users (with appropriate IAM permissions) would still be able to create untagged resources. To restrict the creation of an AWS resource without the appropriate tags, we will utilize SCPs to set guardrails around resource creation requests.
Implement a tag policy that specifically requires the BusinessUnit tag on EC2 instances. This policy can be enforced across the organization, ensuring that all EC2 instances carry the mandatory tag. Compliance with tag key capitalization can be turned off to allow flexibility in how the tag key is formatted. Once the policy is created, it should be attached to the root of the organization, which ensures that it is applied across all accounts within the organization.
ANs :c https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
The answer is c. Tag policies control the key and value when a tag is applied, but they cannot prevent the application of tags themselves.
After you create a tagging policy, you can put your tagging rules into effect. To do this, attach the policy to the organization root, organizational units (OUs), AWS Accounts within the organization, or a combination of organization entities. https://docs.aws.amazon.com/pt_br/organizations/latest/userguide/orgs_manage_policies_tag-policies-create.html Option B asks to attach the management account, but the question informs you that you have several accounts. That's why I'll go with "C"
Option C
C Did a recent project which is similar to this question. B D out since they apply to management account which is wrong. For C, SCP will deny the resource creation, if it is missing the tag For A, tagging policy will deny tag creation if the tag key is not matching the name For this question asked, it is C If question is asking that resource must be have tag key ABC=***, and can't not have tag key CBA=*** then A would be the answer. For a real world restriction, you may have both A and C setup
Option C - SCP for tagging resources https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html#example-require-tag-on-create
Tag policies take control of auto-tagging but do not "enforce" the tagging requirement.
C. “true”: This means that the condition will evaluate to true (and thus the policy statement will be in effect) if the Project tag is not present in the request. condition states that the policy statement is in effect when the Project tag is not included in the request. If the Project tag is present, the condition will evaluate to false
Correct answer is A, rather than B. C: While this SCP would prevent instances from being created without the tag, it's a more restrictive approach than using tag policies. SCPs are better suited for broad permission management rather than enforcing tagging.
Option A and B is incorrect: Tag policies with capitalization control provide the following regulation: For example, if the "BusinessUnit" tag requires case sensitivity, creating resources with tags like "BusineSSUnit" or "businessunit" will fail, while creating resources with the "Business" tag will be allowed. Case sensitivity enforces rules within the same string, but does not fulfill the requirements of this question.