Which solution will meet these requirements?

Explanations:

This option correctly uses an SCP to deny the creation of resources without the required tags, ensuring compliance with the tagging strategy. Additionally, it involves a tag policy that specifies tag values for each OU, which allows for different tag values across the organization. Attaching the tag policies to the OUs aligns with the requirement of unique tag values for each OU.

While this option uses an SCP to deny resource creation without required tags, it incorrectly suggests attaching the tag policies to the organization’s management account. Tag policies should be applied at the OU level to ensure that unique tag values can be enforced for each OU, making this approach ineffective for the given requirements.

This option incorrectly states that an SCP can allow the creation of resources only when they have required tags. SCPs do not allow specific conditions on resource creation; they can only allow or deny actions. Therefore, it cannot enforce tagging requirements effectively. While it correctly mentions creating tag policies for each OU, the use of an allow SCP is not suitable for enforcing tagging.

This option proposes using an SCP to deny resource creation without required tags, which is correct. However, it lacks the necessary detail about defining tag values and does not mention tag policies, which are essential for enforcing specific tag values unique to each OU. Simply attaching the SCP to the OUs without a tag policy does not satisfy the requirement for unique tag values.