AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company operates 10 AWS accounts that are all members of a single AWS Organizations organization that uses consolidated billing. The Cloud Center of Excellence (CCoE) has published a mandatory tag key named BusinessUnit with only four allowed values (Marketing, Finance, R&D, Shared). The finance team must:
Block the creation of any new resource in any account if the resource is missing the BusinessUnit tag or if the tag value is not one of the approved values.
Produce a monthly AWS Cost Explorer report that groups costs by business unit without manually correcting tag errors. Which approach satisfies both requirements while requiring the least ongoing operational effort?
In each member account, deploy an AWS Config rule that requires the BusinessUnit tag, configure Systems Manager automation to add missing tags, and activate the tag locally for cost allocation reporting.
Attach a Service Control Policy (SCP) to the organization root that denies resource-creation APIs unless the BusinessUnit tag key is present; use AWS Cost Categories to allocate costs when the tag is absent or has unexpected values.
Populate the four BusinessUnit values in AWS Service Catalog TagOptions, require all resource provisioning through Service Catalog portfolios, and enable user-defined cost allocation tags in the management account.
From the management account, create an AWS Organizations tag policy that specifies the BusinessUnit key with the four allowed values and enables enforcement for all supported resource types; attach the policy to the organization root. Then activate BusinessUnit as a Cost Allocation Tag in the Billing and Cost Management console and use Cost Explorer to group costs by that tag.
A centrally managed AWS Organizations tag policy can define the mandatory BusinessUnit tag, list the only valid values, and enable enforcement so that API calls that attempt to create or update resources with missing or incorrect tag values are rejected. Because tag policies are applied from the management account to the entire organization (or specific OUs), they eliminate the need to configure rules in every individual member account. After the tag exists on resources, the management account must activate the tag as a Cost Allocation Tag in the Billing and Cost Management console. Once activated, the tag automatically appears in Cost Explorer, allowing the finance team to generate cost reports grouped by BusinessUnit with no further remediation. The other options fall short:
Deploying AWS Config rules in every account detects non-compliance after the fact and adds remediation overhead.
Requiring all provisioning through Service Catalog TagOptions does not cover resources created outside Service Catalog.
An SCP can reject requests that omit the tag but cannot validate tag values, so invalid values would still pollute the data shown in Cost Explorer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Organizations tag policy and how does enforcement work?
Open an interactive chat with Bash
How do you activate a tag as a Cost Allocation Tag, and what is its role in Cost Explorer?
Open an interactive chat with Bash
Why is a Service Control Policy (SCP) insufficient for validating tag values?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access