Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA-C03 Drill: Tag Governance at Scale - The Automation vs. Manual Effort Trade-off

·1121 words·6 mins·
Architecture Drills AWS SAA-C03 FinOps Decision Matrix AWS Config Tag Governance Compliance Lambda Cost Explorer
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS SAA-C03, many candidates get confused by governance automation versus custom scripting. In the real world, this is fundamentally a decision about operational overhead vs. feature maturity. Let’s drill into a simulated scenario.

The Scenario
#

TechFlow Industries, a SaaS platform provider, runs their application infrastructure on AWS using Amazon EC2 instances for compute, Amazon RDS for transactional databases, and Amazon Redshift for analytics workloads. As part of their new FinOps initiative, the finance team requires that all resources must be tagged with CostCenter, Environment, and Owner tags to enable accurate chargeback reporting.

The cloud governance team needs a solution that continuously monitors and identifies untagged resources across these three service types. The team has limited headcount and wants to minimize the ongoing operational effort required to maintain this compliance check.

Key Requirements
#

Implement a solution that:

  • Detects EC2 instances, RDS databases, and Redshift clusters lacking required tags
  • Minimizes manual maintenance and operational overhead
  • Provides visibility into non-compliant resources

The Options
#

  • A) Use AWS Config rules to define and detect resources that are not properly tagged.
  • B) Use Cost Explorer to display untagged resources, then manually tag those resources.
  • C) Write API calls to check tag assignments on all resources, and run this code periodically on an EC2 instance.
  • D) Write API calls to check tag assignments on all resources, and trigger the code periodically using an AWS Lambda function scheduled through Amazon CloudWatch Events.

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A – Use AWS Config rules to define and detect resources that are not properly tagged.

Step-by-Step Winning Logic
#

This solution achieves native automation with zero operational overhead:

  1. Built-in Managed Rules: AWS Config offers required-tags as a managed rule that supports EC2, RDS, and Redshift out of the box
  2. Continuous Evaluation: Automatically evaluates resources when they’re created or modified
  3. No Code Maintenance: No Lambda code to debug, no EC2 instance to patch, no API pagination logic to maintain
  4. Compliance Dashboard: Provides a centralized compliance dashboard with historical tracking
  5. Remediation Ready: Integrates with AWS Systems Manager Automation for auto-remediation workflows

FinOps Impact: For an organization with 500 resources, AWS Config costs approximately $2/resource/month for the first 100,000 evaluations, totaling ~$1,000/month. Compare this to 10 engineer-hours monthly ($1,500-$3,000) spent on manual audits or script maintenance.

The Traps (Distractor Analysis)
#

Why not Option B (Cost Explorer + Manual Tagging)?

  • Not a Detection System: Cost Explorer shows cost allocation tags after resources incur costs—it’s a reporting tool, not a compliance engine
  • Manual Scale Problem: Requires human intervention for every violation; doesn’t scale beyond 50 resources
  • No Prevention: Doesn’t prevent untagged resources from being created in the first place
  • Real-World Failure: In practice, this approach creates a 3-5 day lag between resource creation and tagging, causing finance report inaccuracies

Why not Option C (EC2-based Script)?

  • Operational Overhead: Requires maintaining an EC2 instance (patching, scaling, monitoring)
  • Single Point of Failure: If the EC2 instance fails, compliance checks stop
  • Hidden Costs: EC2 runtime costs + storage + data transfer + engineer time for maintenance
  • Poor Architecture: Uses a compute service to monitor other compute services—creates circular dependency

Why not Option D (Lambda + CloudWatch Events)?

  • Better than C, but still suboptimal: This is a valid serverless approach that eliminates the EC2 maintenance burden
  • Reinventing the Wheel: Requires writing, testing, and maintaining custom code that AWS Config already provides as a managed service
  • API Complexity: Must handle pagination, rate limiting, and error handling across multiple service APIs (EC2, RDS, Redshift)
  • Limited Reporting: Custom scripts lack the built-in compliance dashboards and historical tracking that Config provides
  • Real-World Context: This is what teams built before AWS Config existed; it’s now considered a legacy pattern

The Architect Blueprint
#

graph TB subgraph "AWS Account" EC2[EC2 Instances] RDS[RDS Databases] Redshift[Redshift Clusters] end subgraph "AWS Config Service" Recorder[Config Recorder] Rule[Managed Rule: required-tags] Dashboard[Compliance Dashboard] end subgraph "Notification & Remediation" SNS[SNS Topic] SSM[Systems Manager Automation] end EC2 -->|Resource Changes| Recorder RDS -->|Resource Changes| Recorder Redshift -->|Resource Changes| Recorder Recorder -->|Evaluates| Rule Rule -->|Compliance Status| Dashboard Rule -->|Non-Compliant| SNS SNS -->|Trigger| SSM SSM -->|Auto-Tag| EC2 SSM -->|Auto-Tag| RDS style Rule fill:#2ecc71,stroke:#27ae60,stroke-width:3px style Dashboard fill:#3498db,stroke:#2980b9,stroke-width:2px style SSM fill:#f39c12,stroke:#e67e22,stroke-width:2px

Diagram Note: AWS Config Recorder continuously tracks resource configuration changes, evaluates them against the required-tags rule, surfaces compliance status in a centralized dashboard, and optionally triggers auto-remediation through Systems Manager Automation.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A: AWS Config Rules Low $1,000-$1,500 (500 resources) ✅ Zero operational overhead
✅ Managed service
✅ Compliance history
✅ Auto-remediation ready		 ❌ Costs scale with resource count
❌ Requires Config enablement per region
B: Cost Explorer + Manual Low (setup) $0 (AWS service) + $3,000 (labor/month) ✅ No additional AWS costs
✅ Simple to understand		 ❌ Does not scale
❌ Reactive, not preventive
❌ High labor cost
❌ 3-5 day lag
C: EC2 + Cron Script High $50 (t3.medium) + $1,500 (maintenance/month) ✅ Full control over logic
✅ Predictable compute cost		 ❌ Requires instance management
❌ Single point of failure
❌ High maintenance burden
D: Lambda + CloudWatch Medium $20-$50 (Lambda/month) + $800 (development/maintenance) ✅ Serverless architecture
✅ Low AWS costs
✅ No infrastructure to manage		 ❌ Custom code to maintain
❌ API complexity (pagination, rate limits)
❌ No built-in compliance dashboard

FinOps Analysis: While Option D has the lowest AWS service cost, the Total Cost of Ownership (TCO) including engineering time makes Option A the clear winner for this associate-level requirement. At scale (5,000+ resources), organizations often combine Config for detection with Lambda for complex custom remediation logic.

Real-World Practitioner Insight
#

Exam Rule
#

For the SAA-C03 exam, when you see keywords like “minimize operational overhead”, “continuous compliance”, or “governance at scale”, AWS Config Rules is almost always the correct answer for resource compliance monitoring.

Real World
#

In production environments, mature cloud teams implement a layered governance approach:

  1. Preventive Controls: Use AWS Organizations Service Control Policies (SCPs) to block resource creation without required tags
  2. Detective Controls: AWS Config Rules to identify non-compliant resources that bypassed preventive controls
  3. Corrective Controls: Systems Manager Automation to auto-remediate or SNS to alert security teams
  4. Cost Optimization: For startups with <100 resources, a scheduled Lambda function (Option D) may be more cost-effective than Config’s per-resource pricing

Production Gotcha: The exam scenario doesn’t mention it, but Config’s required-tags rule has a regional scope. For multi-region deployments, you need to enable Config in each region or use AWS Config Aggregators to centralize compliance data—this is a common SAP-level (Professional) consideration.

Hybrid Pattern: Large enterprises often use AWS Config for compliance visibility and custom Lambda functions for complex business logic (e.g., “Tag resources based on subnet CIDR range” or “Inherit tags from parent organizational units”).

Related Articles