2 Answers
Hi there,
I’ve seen this question in the past, A is the correct answer. You can’t apply IAM policy at Org level, it’s SCP.
Source: Managing AWS Organizations Policies
This has been passed on to ACG content team for review.
I don’t agree with T.J’s answer. That option says: "Organizations with accounts grouped by OU. Add an SCP to all the member accounts of the OUs, with an aws:TagKeys condition, which requires its principals to add tags to EC2 instances at creation"
What you mentioned that you can’t apply IAM policy at Org level is correct but the act of requiring the principals to "add tags" to EC2 instances at creation is a type of policy which an IAM Policy is suitable for, and not SCP. Answer B says "Add an IAM policy to the individual member accounts", it didn’t say "…apply IAM Policy to the OU."
I also saw this kind of question in one Udemy practice tests that I am using just now. This knowledge brief from AWS is my source of truth:
https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-tags-restrict/
I think I agree with Wilson here, specifically with the link to the Knowledge Center article. Lots of times when I’m writing exam simulator questions, I will follow a similar pattern of finding an article or whitepaper scenario and build a question around it. The AWS exam writers do the same thing to reinforce the best practice concepts. This question seems like it is from this article. Now, that said, one MIGHT be able to get this to work using an SCP although I haven’t tried it. SCPs are designed to limit the maximum permissions for entire accounts but it might be possible to enforce the TagKeys condition to be required. In practice, I would much rather use a Service Catalog method for this sort of thing…it would be cleaner. This is the real challenging part of writing exam sim questions…you have to be sure there isn’t some sneaky way to get the other "incorrect" options to work.
Thanks for clarifying Wilson. I agree with your answer too
Thanks Scott!
Thanks. I also had the same impression. What do you mean by "This has been passed on to ACG content team for review."?
Hi Po, might I ask where you saw this question? Was it in an A Cloud Guru exam simulator or quiz, or from somewhere else?
hi Scott…somewhere else…definitely not AcloudGuru 🙂 …do you confirm it’s inaccurate?
It’s debateable, but I think I agree with Wilson’s answer below.