Which combination of steps will meet these requirements?
(Choose two.)
In Organizations, create a new tag policy that specifies the data sensitivity tag key and the required values. Enforce the tag values for the EC2 instances. Attach the tag policy to the appropriate OU.
In Organizations, create a new service control policy (SCP) that specifies the data sensitivity tag key and the required tag values. Enforce the tag values for the EC2 instances. Attach the SCP to the appropriate OU.
Create a tag policy to deny running instances when a tag key is not specified. Create another tag policy that prevents identities from deleting tags. Attach the tag policies to the appropriate OU.
Create a service control policy (SCP) to deny creating instances when a tag key is not specified. Create another SCP that prevents identities from deleting tags. Attach the SCPs to the appropriate OU.
Create an AWS Config rule to check if EC2 instances use the data sensitivity tag and the specified values. Configure an AWS Lambda function to delete the resource if a noncompliant resource is found.
Explanations:
Tag policies in AWS Organizations ensure that tags follow specified rules. By enforcing the data sensitivity tag on EC2 instances and attaching it to the correct organizational unit (OU), the company can control tag values and prevent the creation of EC2 instances without the tag.
Service Control Policies (SCPs) are used to control what actions are allowed in AWS accounts, not for enforcing tag creation or values. SCPs cannot directly enforce tag values or prevent instances from being launched without tags.
Tag policies cannot be used to deny actions such as creating instances or deleting tags directly. The policy can enforce tagging standards, but enforcing instance creation or tag deletion control should be done with SCPs.
SCPs can be used to prevent actions like launching instances without specific tags (e.g., data sensitivity) and can prevent users from deleting tags. This ensures compliance with the company’s requirements.
While an AWS Config rule can check for compliance with tag policies, using Lambda to delete resources is a reactive approach. The company wants proactive enforcement, which is better achieved with tag policies or SCPs.