Topic 1 Question 326
A company uses an organization in AWS Organizations to manage its 500 AWS accounts. The organization has all features enabled. The AWS accounts are in a single OU. The developers need to use the CostCenter tag key for all resources in the organization's member accounts. Some teams do not use the CostCenter tag key to tag their Amazon EC2 instances.
The cloud team wrote a script that scans all EC2 instances in the organization's member accounts. If the EC2 instances do not have a CostCenter tag key, the script will notify AWS account administrators. To avoid this notification, some developers use the CostCenter tag key with an arbitrary string in the tag value.
The cloud team needs to ensure that all EC2 instances in the organization use a CostCenter tag key with the appropriate cost center value.
Which solution will meet these requirements?
Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Create a tag policy that requires the CostCenter tag to be values from a known list of cost centers for all EC2 instances. Attach the policy to the OU. Update the script to scan the tag keys and tag values. Modify the script to update noncompliant resources with a default approved tag value for the CostCenter tag key.
Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Attach the policy to the OU. Update the script to scan the tag keys and tag values and notify the administrators when the tag values are not valid.
Create an SCP that prevents the creation of EC2 instances without the CostCenter tag key. Attach the policy to the OU. Create an IAM permission boundary in the organization's member accounts that restricts the CostCenter tag values to a list of valid cost centers.
Create a tag policy that requires the CostCenter tag to be values from a known list of cost centers for all EC2 instances. Attach the policy to the OU. Configure an AWS Lambda function that adds an empty CostCenter tag key to an EC2 instance. Create an Amazon EventBridge rule that matches events to the RunInstances API action with the Lambda function as the target.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: A
Service Control Policy (SCP): Creating an SCP ensures that any attempt to create EC2 instances without the CostCenter tag key is denied right from the start. This enforces the requirement at the organizational level.
Tag Policy: By creating a tag policy that enforces the CostCenter tag values to be from a known list, you can ensure that only valid cost center values are used across all EC2 instances.
Script Update: Updating the script to not only scan for tag keys and values but also to update noncompliant resources with a default approved tag value ensures compliance and mitigates the issue of arbitrary string values.
Comprehensive Solution: This approach addresses both the presence of the CostCenter tag and the correctness of its value, providing a comprehensive solution to the problem.
👍 5f4b18ba2024/11/22 - 正解だと思う選択肢: A
The answer is A
👍 3Changwha2024/11/23
シャッフルモード