Which solution will meet these requirements?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company is running its production and nonproduction environment workloads in multiple AWS accounts.The accounts are in an organization in AWS Organizations.The company needs to design a solution that will prevent the modification of cost usage tags.

Which solution will meet these requirements?

Create a custom AWS Config rule to prevent tag modification except by authorized principals.

Create a custom trail in AWS CloudTrail to prevent tag modification.

Create a service control policy (SCP) to prevent tag modification except by authorized principals.

Create custom Amazon CloudWatch logs to prevent tag modification.

Explanations:

AWS Config rules can monitor the configuration of AWS resources but cannot directly prevent modifications. They can trigger notifications or actions when changes occur but do not enforce policies.

AWS CloudTrail records AWS API calls and actions but does not have the capability to prevent or modify actions. It can be used for auditing but not for enforcing restrictions on tag modification.

Service Control Policies (SCPs) can be used in AWS Organizations to manage permissions across accounts. An SCP can explicitly deny the ability to modify cost usage tags, ensuring only authorized principals can make such changes.

Amazon CloudWatch logs can be used for logging and monitoring, but they do not provide a mechanism for preventing actions. They can help in auditing but cannot enforce restrictions on tag modification.

2025-10-05

1 Comment

  1. Samuel
    Author

    I deduce that the answer is:
    Create a service control policy (SCP) to prevent tag modification except by authorized principals.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × 2 =