Help – Is tag policy same as SCP in AWS Organizations

[Dash]

I saw the following question and I am not sure if the provided answer is correct!!

An enterprise has several development and production AWS accounts managed under its AWS Organization. Consolidated billing is enabled in the organization but the management wants more visibility on the AWS Billing and Cost Management. With the sudden increase in the Amazon RDS and Amazon DynamoDB costs, the management required all CloudFormation templates to enforce a consistent tagging with cost center numbers and project ID numbers on all resources that will be provisioned. The management also wants these tags to be enforced in all existing and future DynamoDB and RDS instances.

Which of the following options is the recommended strategy to meet the company requirements?

A) Tag all existing resources in bulk using the Tag Editor. On the Billing and Cost Management page, create new cost allocation tags for the cost center and project ID. Apply an SCP on the organizational unit that denies users from creating resources that do not have the cost center and project ID tags.

B) Create an AWS Config rule to check for any untagged resource and send a notification email to the finance team. Write a Lambda function that has a cross-account role to tag all RDS databases and DynamoDB resources on all accounts under the organization. Schedule this function to run every hour.

C) Tag all existing resources in bulk using the Tag Editor. On the Billing and Cost Management page, create new cost allocation tags for the cost center and project ID. Wait for at least 24 hours to allow AWS to propagate the tags and gather cost reports.

D) On the Billing and Cost Management page, create new cost allocation tags for the cost center and project ID. Wait for at least 24 hours to allow AWS to propagate the tags and gather cost reports. Update existing federated roles to deny users from creating resources that do not have the cost center and project ID tags.

The answer provided is A.

But the looking at AWS documentation, it is the “Tag Policy” that can enforce tagging and prevent resources from being created if tagging is not enforced.

AWS Organization offers the following policies:

Authorization policies

Service control policies (SCPs): offer central control over the maximum available permissions for all of the accounts in your organization.

Management policies

Artificial Intelligence (AI) services opt-out policies

Backup policies

Tag policies: help you standardize the tags attached to the AWS resources in your organization’s accounts.

I am not able to understand how you can manage tagging by SCPs?

[Kenneth-Samonte-Tutorials-Dojo]

Hello Dash,

Thank you for your feedback.

Using SCP to control tagging policies on resources is a best practice recommended by AWS.

Scroll down on this link: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-best-practices.html

For an example SCP, see this link: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#example-require-tag-on-create

This SCP will require a TAG for creating an EC2 instance. If there is no specific tag on that instance, the EC2 creation is denied.

Basically, you will create an SCP that has a policy that Denies the creation of a resource if it does not have a proper tag.

For example, in this scenario, all EC2 instances need to have a “Project ID” tag.

So is a user creates a new EC2 instance without the proper “Project ID” on the tags, that action will be denied and the EC2 instance will not be created.

Hope this helps.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,

Kenneth Samonte @ Tutorials Dojo