Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 236 discussion

The most suitable solution for applying standardized tags across the organization with specific values for each OU is A. Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values for each OU. Attach the tag policies to the OUs. Here's why: Enforce tag standardization: An SCP applied to the entire organization denies resource creation unless the required tags are present, ensuring consistent tagging across all accounts. OU-specific tags: Tag policies attached to each OU define the specific tag values for that OU, allowing customization without compromising overall standardization. Granular control: Attaching tag policies to OUs instead of the management account provides more granular control and flexibility for managing tags within each OU.

You go to the management account -> Organizations console -> Policies -> Tag policies -> "name of the policy" -> attach to OU. That's it - A is correct

A is ans

Option A

FOR EACH OU's

it's an A

The correct answer is B. Imagine if you had an AWS Organization with 50+ OUs, it would be very inefficient to manually apply a generic tagging policy to each OU, so that's why there is the concept of policy inheritance: when you attach a policy to the organization root, all OUs and accounts in the organization inherit that policy When you attach a tag policy to your organization root, the tag policy applies to all of that root's member OUs and accounts. https://docs.aws.amazon.com/organizations/latest/userguide/attach-tag-policy.html Understanding policy inheritance: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance.html

C and D must be wrong, because of "allow ... " B is weird.

Each of the company's OUs will have unique tag values. Then A because each OU unique tags A is the unique with approved this case

It's A. The policies are different for each account, so you can't assign it to the management account. Exact same scenario: https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

MODERATOR - Please remove my previous comment. From the discussion it looks like A is the answer. Looks like the tag policies should be attached at the OU level to ensure that each OU has its own unique tag values.

I think it's A

GPT 4. 0 says A - I agree. Values per OU

b-b-b-b-b-b

option A is the right answer, we need a have a list of allowed tag values per OU

B - you don't have apply SCPs to each account or OU. Attaching the tag policies to the organization's management account ensures that the policies are applied consistently to all OUs within the organization. C is incorrect because SCP are NOT used for ALLOW action. They are used for DENY actions (setting boundaries)