Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 113 discussion

If config rule is added (A) it can be seen in AWS Config aggregator (E) Using SCP in as aws organization is used here in question. So, A,B,E

A. Create an AWS Config rule in each account to find resources with missing tags. By creating an AWS Config rule in each account, you can check if resources are missing tags or have tags that are not conforming to your organization's standards. You can also use AWS Config to automatically remediate non-compliant resources by applying tags. This can help ensure that resources are properly tagged for cost allocation purposes. Here is the AWS Config documentation for creating rules: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html

A. Create an AWS Config rule in each account to find resources with missing tags. B. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing. E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.

ABE, SCP + Config + Config Aggregator

B and E handle the requirements in a centralised manner, giving least operational overhead, without anything needing to be added. The question is plainly wrongly stated. If three options have to be selected, then A is the least absurd one.

A. Create an AWS Config rule in each account to find resources with missing tags.AWS Config can evaluate the configuration of your AWS resources and identify resources that do not comply with specified requirements, such as missing specific tags. This helps in identifying existing resources with the issue. B. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing.Service Control Policies (SCPs) can enforce permissions across all accounts in an organization. By creating an SCP that denies launching EC2 instances without the required Project tag, you can prevent the problem from occurring in the future at the organization level. E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.An AWS Config aggregator can aggregate compliance data from multiple accounts and regions. This allows for centralized visibility of instances lacking the required tags, making it easier to address and resolve the issue across the entire organization.

A is not needed if you have D. Correct answer is BDE.

Option A, B and E

Inspector checks for Vulnerabilities but not the tags.

its ABE

A. AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config Rules. AWS Config applies remediation using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules. You can associate SSM documents by using AWS Management Console or by using APIs. AWS Config provides a set of managed automation documents with remediation actions. You can also create and associate custom automation documents with AWS Config rules. To apply remediation on noncompliant resources, you can either choose the remediation action you want to associate from a prepopulated list or create your own custom remediation actions using SSM documents. AWS Config provides a recommended list of remediation action in the AWS Management Console. In the AWS Management Console, you can either choose to manually or automatically remediate noncompliant resources by associating remediation actions with AWS Config rules. With all remediation actions, you can either choose manual or automatic remediation.

ABE is the better choice

what's the value of A and E together- it's either or ? the outcome is the same - thoughts?

ABE makes sense

Config, SCP and IAM policy may not require in each account but it says to select three options so going with ABE

BE makes sense

the best way to deploy config rules accross accounts= SCP