tag enforcement question erratum

[gch99]

Q: A company has a designated AWS account for each project of its development team. All of these AWS accounts are linked to the main AWS account under the same AWS Organizations. The CFO allocates a budget for each project owner. Each project owner is allowed to provision any cloud resources that they need but all resources should have the Project tag which is used for cost allocation. After a recent audit, several team members are not adding the Project tag on their Amazon EC2 instances which results in inaccurate cost reports.

Which of the following steps should be implemented to identify instances with the missing tag and to prevent the creation of instances without the Project tag? (Select THREE.)

A (indicated as correct): Configure an AWS Config aggregator for the AWS organization to generate a list of all EC2 instances with the Project tag. [emphasis mine]

=> This is not correct as stated; this answer should say “without” the Project tag” in order to correctly identify instances with the missing tag.

[Kenneth-Samonte-Tutorials-Dojo]

Hi gch99,

Thank you for your feedback.

The question asks “to identify instances with the missing tag and to prevent the creation of instances without the Project tag”

The options:

Apply an SCP to the AWS Organization that will deny the ec2:RunInstances action if the Project tag is not applied.

and

Create an IAM policy on each project account that will deny the ec2:RunInstances action if the Project tag is not applied.

will prevent users from provisioning instances without the Project tag.

While the option, Configure an AWS Config aggregator for the AWS organization to generate a list of all EC2 instances without the Project tag, will list the instances without the Project tag.

I have updated the choices and explanation to reflect this.

Hope this helps.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,

Kenneth Samonte @ Tutorials Dojo