Which solution will meet these requirements?
Create a custom AWS Config rule to prevent tag modification except by authorized principals.
Create a custom trail in AWS CloudTrail to prevent tag modification.
Create a service control policy (SCP) to prevent tag modification except by authorized principals.
Create custom Amazon CloudWatch logs to prevent tag modification.
Explanations:
AWS Config rules can monitor the configuration of AWS resources but cannot directly prevent modifications. They can trigger notifications or actions when changes occur but do not enforce policies.
AWS CloudTrail records AWS API calls and actions but does not have the capability to prevent or modify actions. It can be used for auditing but not for enforcing restrictions on tag modification.
Service Control Policies (SCPs) can be used in AWS Organizations to manage permissions across accounts. An SCP can explicitly deny the ability to modify cost usage tags, ensuring only authorized principals can make such changes.
Amazon CloudWatch logs can be used for logging and monitoring, but they do not provide a mechanism for preventing actions. They can help in auditing but cannot enforce restrictions on tag modification.