Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in how to effectively identify and manage untagged resources across multiple AWS accounts. In production, this is about knowing exactly which AWS service and tools provide authoritative tracking and remediation capabilities for tagging compliance, rather than just manual or partial approaches. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechNova Solutions recently acquired a smaller firm along with their entire AWS environment, which includes multiple AWS accounts. A financial analyst requests detailed cost data organized by project tagging. The Site Reliability Engineer generates Cost and Usage Reports via Cost Explorer, but notices that 20% of the monthly cost is attributed to resources that have no associated tag keys. To provide accurate chargeback reports, the SRE needs to identify and tag these untagged resources efficiently.
The Requirement: #
How should the SRE apply tags to all currently untagged resources across TechNova’s AWS accounts to improve cost allocation accuracy?
The Options #
- A) Add all accounts to AWS Organizations and enforce tagging by applying Service Control Policies (SCPs) that require tags on all new resources.
- B) Use AWS Config rules to detect untagged resources and implement automated remediation actions to terminate non-compliant resources.
- C) Use Cost Explorer reports to find untagged resources and manually tag each identified resource.
- D) Use AWS Resource Groups Tag Editor to locate all untagged resources and apply tags in bulk.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The SysOps Tagging Imperative #
- For SOA candidates, this is about leveraging AWS Tag Editor as the operational tool for bulk tagging across multiple resource types and accounts.
- Automated remediation via AWS Config to terminate resources (Option B) is overly destructive and not suitable for tagging correction.
- Service Control Policies (Option A) enforce compliance on new resources, but do nothing for existing untagged resources.
- Cost Explorer (Option C) cannot modify tags or identify all resource types directly; it only reports costs.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Resource Groups Tag Editor is the most appropriate native tool to discover and bulk remediate missing tags on existing resources across one or more AWS accounts. It supports multiple resource types and can perform bulk tag operations, enabling the SRE to efficiently address untagged resources to improve cost allocation granularity.
- Option A (SCP Enforcement) only enforces tagging on newly created resources after the policy is in place, leaving historical untagged resources unchanged.
- Option B (Config rule terminating resources) is a destructive approach that would cause unnecessary downtime and should be avoided unless in highly controlled scenarios.
- Option C (using Cost Explorer to tag resources) is not feasible as Cost Explorer is a reporting tool without the ability to edit resource tags.
The solution balances operational safety and completeness, enabling gradual remediation without interrupting services.
The Trap (Distractor Analysis) #
- Why not A? SCPs are ideal for governance on new resources but do not retroactively fix existing resource metadata and therefore cannot help recover past tagging compliance.
- Why not B? Using Config remedial actions that automatically terminate resources based on lack of tags is rarely appropriate—it risks service disruption without explicit stakeholder approval.
- Why not C? Cost Explorer data can highlight cost distribution by tags but does not provide resource-level editing capabilities or a complete resource inventory.
The Technical Blueprint #
# Example CLI snippet to start bulk tagging with Resource Groups Tag Editor (using AWS CLI):
# List resources missing the "Project" tag
aws resourcegroupstaggingapi get-resources --tag-filters Key=Project
# To add a tag to multiple resources:
aws resourcegroupstaggingapi tag-resources --resource-arn-list arn:aws:ec2:region:account:instance/instance-id ... --tags Project=NewProject
# Alternatively, open Tag Editor in the AWS Console to visually identify and manage tags.
The Comparative Analysis (SysOps Lens) #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | Medium | Preventative (New only) | Enforces tagging on newly created resources; no effect on existing. |
| B | High | Remediation (Destructive) | Terminates untagged resources, causing downtime risks. |
| C | High | Manual | Requires manual tagging based on partial reports; inefficient. |
| D | Low | Bulk Edit (Non-disruptive) | Enables bulk identification and tagging of existing untagged resources safely. |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the SOA-C02 exam, when you need to fix untagged resources across accounts, think AWS Resource Groups Tag Editor for bulk, non-disruptive tagging.
Real World #
In a live environment, combining tagging enforcement via SCPs with AWS Config rules for alerting (not auto-termination) plus periodic use of Tag Editor ensures tagging compliance over time without risking service availability.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.