Which solution will meet these requirements?
Create an IAM group that has a conditional Allow policy that requires the application name tag to be specified for resources to be created.
Create a cross-account role that has a Deny policy for any resource that has the application name tag.
Create a resource group in AWS Resource Groups to validate that the tags are applied to all resources in all accounts.
Create a tag policy in Organizations that has a list of allowed application names.
Explanations:
While an IAM group with a conditional Allow policy could enforce tagging, it does not ensure that only approved values are allowed; it only requires the tag to be present. It doesn’t restrict the values of the tag.
A cross-account role with a Deny policy would prevent the creation of any resource that has the application name tag, which is overly restrictive and does not allow for approved values to be used. This approach does not facilitate resource creation under the correct conditions.
Creating a resource group to validate tags does not enforce any restrictions on resource creation. It can help manage resources but cannot prevent resources from being created without approved application name tags.
A tag policy in AWS Organizations allows for the definition of approved tag values for resources across the organization. This ensures that only resources with specific, approved application name tags can be created, fulfilling the requirement for the development teams.
I believe the answer is:
Create a tag policy in Organizations that has a list of allowed application names.