A company created a new organization in AWS Organizations with multiple accounts for development teams. Developers use AWS IAM Identity Center (AWS Single Sign-On) to access accounts. For each application, development teams must apply a predefined application name tag to resources they create. A solutions architect must allow resource creation only if the application name tag has an approved value. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a tag policy in Organizations that contains a list of allowed application names..
Why this is the answer
A tag policy in AWS Organizations is the most effective solution. It allows you to define rules for tagging across all accounts in your organization, including specifying allowed tag keys and values. By creating a tag policy with a list of approved application names, you can enforce that developers only use valid application name tags when creating resources. If a resource is created without the required tag or with an unapproved value, the action will be denied. IAM groups with conditional Allow policies are account-specific and would need to be replicated across all development accounts, making management complex. A cross-account role with a Deny policy for existing tags wouldn't prevent the initial creation of resources with incorrect tags. AWS Resource Groups are for organizing and managing resources after they are created, not for enforcing tagging policies during creation.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed