ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 364 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 364
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is managing many AWS accounts by using an organization in AWS Organizations. Different business units in the company run applications on Amazon EC2 instances. All the EC2 instances must have a BusinessUnit tag so that the company can track the cost for each business unit.

A recent audit revealed that some instances were missing this tag. The company manually added the missing tag to the instances.

What should a solutions architect do to enforce the tagging requirement in the future?

  • A. Enable tag policies in the organization. Create a tag policy for the BusinessUnit tag. Ensure that compliance with tag key capitalization is turned off. Implement the tag policy for the ec2:instance resource type. Attach the tag policy to the root of the organization.
  • B. Enable tag policies in the organization. Create a tag policy for the BusinessUnit tag. Ensure that compliance with tag key capitalization is turned on. Implement the tag policy for the ec2:instance resource type. Attach the tag policy to the organization's management account.
  • C. Create an SCP and attach the SCP to the root of the organization. Include the following statement in the SCP:
  • D. Create an SCP and attach the SCP to the organization’s management account. Include the following statement in the SCP:
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by cypkir at Nov. 22, 2023, 7:41 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ayadmawla
Highly Voted 1 year, 3 months ago
Selected Answer: C
Answer is C. To those that are getting confused between a Management Account vs Root of the Organisation here is my two pennies: Management Account is where you create accounts, management payments, create organisation, etc. Root of Organisation is where you apply the policies See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
upvoted 15 times
marszalekm
1 year, 1 month ago
You apply SCP in root account and tag policy in management account, but I think crucial issue here is to "enforce the tagging requirement in the future", only SCP can do that. https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ "SCPs can be used along-side tag policies to ensure that the tags are applied at the resource creation time and remain attached to the resource." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html "When you sign in to the organization's management account, you use Organizations to enable the tag policies feature. [...] in the organization's management account. Then you can create tag policies and attach them to the organization entities to put those tagging rules in effect. "
upvoted 3 times
...
...
MegalodonBolado
Highly Voted 1 year, 3 months ago
Selected Answer: C
From repost: * Use tag policies to prevent tagging on existing resources * Use SCPs to prevent tagging for creating new resources https://repost.aws/knowledge-center/organizations-scp-tag-policies What should a solutions architect do to enforce the tagging requirement in the future? You can use SCPs to prevent the creation of new AWS resources that aren't tagged for your Organization’s tagging restriction guidelines. To make sure that the AWS resources are created only if a certain tag is present, use the example SCP policy to require a tag on specified created resources: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html#example-require-tag-on-create
upvoted 7 times
MegalodonBolado
1 year, 3 months ago
Looks like I can't post json code here, so follow the last link to find the policy
upvoted 1 times
...
...
AzureDP900
Most Recent 4 months, 2 weeks ago
C is correct
upvoted 1 times
...
053081f
9 months ago
Selected Answer: C
Option A and B is incorrect: Tag policies with capitalization control provide the following regulation: For example, if the "BusinessUnit" tag requires case sensitivity, creating resources with tags like "BusineSSUnit" or "businessunit" will fail, while creating resources with the "Business" tag will be allowed. Case sensitivity enforces rules within the same string, but does not fulfill the requirements of this question.
upvoted 1 times
...
053081f
9 months ago
Selected Answer: A
Correct answer is A, rather than B. C: While this SCP would prevent instances from being created without the tag, it's a more restrictive approach than using tag policies. SCPs are better suited for broad permission management rather than enforcing tagging.
upvoted 1 times
...
red_panda
10 months, 3 weeks ago
Selected Answer: C
For me it's C. Here we have to note that when the AWS Organization Units are mentioned, for the most we need to use SCP or RAM at the exams. Just little tips. A part of this, C seems most correct answer in my point of view :)
upvoted 2 times
...
tushar321
11 months, 3 weeks ago
C. “true”: This means that the condition will evaluate to true (and thus the policy statement will be in effect) if the Project tag is not present in the request. condition states that the policy statement is in effect when the Project tag is not included in the request. If the Project tag is present, the condition will evaluate to false
upvoted 2 times
...
VerRi
1 year ago
Selected Answer: C
Tag policies take control of auto-tagging but do not "enforce" the tagging requirement.
upvoted 1 times
...
TonytheTiger
1 year ago
Selected Answer: C
Option C - SCP for tagging resources https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_tagging.html#example-require-tag-on-create
upvoted 1 times
...
pangchn
1 year ago
Selected Answer: C
C Did a recent project which is similar to this question. B D out since they apply to management account which is wrong. For C, SCP will deny the resource creation, if it is missing the tag For A, tagging policy will deny tag creation if the tag key is not matching the name For this question asked, it is C If question is asking that resource must be have tag key ABC=***, and can't not have tag key CBA=*** then A would be the answer. For a real world restriction, you may have both A and C setup
upvoted 1 times
...
career360guru
1 year, 2 months ago
Selected Answer: C
Option C
upvoted 1 times
...
Laercio96
1 year, 3 months ago
Selected Answer: C
After you create a tagging policy, you can put your tagging rules into effect. To do this, attach the policy to the organization root, organizational units (OUs), AWS Accounts within the organization, or a combination of organization entities. https://docs.aws.amazon.com/pt_br/organizations/latest/userguide/orgs_manage_policies_tag-policies-create.html Option B asks to attach the management account, but the question informs you that you have several accounts. That's why I'll go with "C"
upvoted 1 times
...
NOZOMI
1 year, 3 months ago
The answer is c. Tag policies control the key and value when a tag is applied, but they cannot prevent the application of tags themselves.
upvoted 1 times
...
duriselvan
1 year, 3 months ago
https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
upvoted 1 times
...
duriselvan
1 year, 3 months ago
ANs :c https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
upvoted 1 times
...
water314
1 year, 3 months ago
Selected Answer: A
Implement a tag policy that specifically requires the BusinessUnit tag on EC2 instances. This policy can be enforced across the organization, ensuring that all EC2 instances carry the mandatory tag. Compliance with tag key capitalization can be turned off to allow flexibility in how the tag key is formatted. Once the policy is created, it should be attached to the root of the organization, which ensures that it is applied across all accounts within the organization.
upvoted 1 times
...
wmp7039
1 year, 3 months ago
Selected Answer: B
Use AWS Organizations to manage tag policies. When you sign in to the organization's management account, you use Organizations to enable the tag policies feature. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
upvoted 1 times
igor12ghsj577
1 year, 2 months ago
Tag Policy only enforces the accepted value of a tag, and not its presence. Therefore, users (with appropriate IAM permissions) would still be able to create untagged resources. To restrict the creation of an AWS resource without the appropriate tags, we will utilize SCPs to set guardrails around resource creation requests.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago