Learn how to secure your AWS accounts using IAM permissions boundary, allowing administrator roles to perform IAM actions while denying non-administrator roles. Understand the least operationally overhead solution for your AWS environment.
Table of Contents
Question
A company uses AWS Organizations to manage its AWS accounts. A solutions architect must design a solution in which only administrator roles are allowed to use IAM actions. However, the solutions architect does not have access to all the AWS accounts throughout the company.
Which solution meets these requirements with the LEAST operational overhead?
A. Create an SCP that applies to all the AWS accounts to allow IAM actions only for administrator roles. Apply the SCP to the root OU.
B. Configure AWS CloudTrail to invoke an AWS Lambda function for each event that is related to IAM actions. Configure the function to deny the action if the user who invoked the action is not an administrator.
C. Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for those with administrator roles. Apply the SCP to the root OU.
D. Set an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to every administrator role across all the AWS accounts.
Answer
D. Set an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to every administrator role across all the AWS accounts.
Explanation
This solution allows administrator roles to perform IAM actions while denying non-administrator roles from performing IAM actions. By attaching the permissions boundary to every administrator role, it eliminates the need to apply an SCP to all AWS accounts or configure AWS CloudTrail to invoke an AWS Lambda function for each event.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.