Which solution will meet these requirements with the LEAST operational overhead?
Create an IAM policy for all actions that create AWS resources. Add a condition to the policy that aws:RequestTag/costcenter must exist and must contain a valid business unit value. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that monitors IAM service events and Amazon EC2 service events for noncompliant tag policies. Configure the rule to send notifications through Amazon Simple Notification Service (Amazon SNS).
Create an IAM policy for all actions that create AWS resources. Add a condition to the policy that aws:ResourceTag/costcenter must exist and must contain a valid business unit value. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that monitors IAM service events and Amazon EC2 service events for noncompliant tag policies. Configure the rule to send notifications through Amazon Simple Notification Service (Amazon SNS).
Create an organization tag policy that ensures that all resources have the costcenter tag with a valid business unit value. Do not select the option to prevent operations when tags are noncompliant. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that monitors all events for noncompliant tag policies. Configure the rule to send notifications through Amazon Simple Notification Service (Amazon SNS).
Create an organization tag policy that ensures that all resources have the costcenter tag with a valid business unit value. Select the option to prevent operations when tags are noncompliant. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that monitors all events for noncompliant tag policies. Configure the rule to send notifications through Amazon Simple Notification Service (Amazon SNS).
Explanations:
This option uses a condition based onaws:RequestTag/costcenter, which applies only during the request phase for creating resources. This will not ensure that existing resources are compliant with the tagging requirement, as it only checks the tags at the time of creation. Furthermore, it monitors IAM service events which do not capture all noncompliance across all AWS services, leading to potential gaps in oversight.
Similar to option A, this option checksaws:ResourceTag/costcenter, which enforces tagging only after resource creation, failing to ensure compliance of existing resources. It also uses Amazon EventBridge to monitor IAM events, which does not provide comprehensive coverage of tagging compliance across all resources. This does not fully meet the requirement for tracking all resources.
This option creates an organization tag policy to enforce the requirement that all resources must have thecostcentertag with a valid business unit value. By not selecting the option to prevent operations when tags are noncompliant, it allows resource creation without interruption. Additionally, monitoring through Amazon EventBridge captures all relevant events for noncompliance, ensuring comprehensive oversight with minimal operational overhead.
While this option establishes a tag policy to enforce thecostcentertag, it selects the option to prevent operations when tags are noncompliant. This contradicts the requirement that resources should still be creatable, resulting in potential disruption of resource creation. Even though it does provide notification capabilities, it does not align with the operational flexibility needed.