AWS SAP-C02 · Question 48 · Domain 1.4: Multi-Account Environment
An enterprise has a strict compliance requirement: no Amazon EC2 instances can be launched without a specific set of tags (CostCenter and ProjectID). If a user attempts to launch an instance without these tags, the launch must be blocked immediately. How can the Solutions Architect enforce this across the entire AWS Organization?
Answer options:
Use AWS Config with the required-tags managed rule and enable automatic remediation to terminate non-compliant instances.
Create a Service Control Policy (SCP) that denies ec2:RunInstances if the required tags are not present.
Use AWS CloudTrail to monitor for RunInstances events and trigger a Lambda function to stop the instance.
Configure Tag Policies in AWS Organizations to enforce the tags.
75 questions · hints · full answers · grading
Expert