Topic 1 Question 229

AWS Certified DevOps Engineer - Professional

Topic 1 Question 229
A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations.

The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only.

Which solution will meet these requirements?
- Create an IAM user for the developer in the organization's management account. Configure a cross-account role in the development account for the developer to use. Limit the scope of the cross-account role to common services.
- Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account.
- Add an SCP to the development account in Organizations. Configure the SCP with a Deny rule for iam:* to limit the developer's access.
- Create an IAM role that has the necessary IAM access to allow the developer to create policies and roles. Create and attach a permissions boundary to the role. Grant the developer access to assume the role.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: D
  A. This approach involves creating a user in the management account and setting up cross-account roles, which adds unnecessary complexity and potential security risks. B. PowerUserAccess managed policy provides broad permissions that go beyond just creating and configuring service-linked roles. This approach does not meet the requirement to restrict the developer's capabilities specifically to service-linked role management. C. SCPs are used to set permission guardrails at the organizational or account level, but they do not grant permissions. They are used to restrict actions, and configuring an SCP with a deny rule for iam:* would likely prevent the developer from performing necessary actions
  
  D effectively meets the requirements
  
  👍 5
  trungtd2024/07/13
- 正解だと思う選択肢: D
  D - is more granular since it provides the right balance of granting necessary permissions while maintaining security and following the principle of least privilege. It allows the developer to create and configure service-linked roles as needed for the proof of concept, while the permissions boundary ensures that they can't exceed their intended level of access.
  
  👍 4
  TEC12024/07/13
- ---> D
  
  👍 2
  tgv2024/07/15
シャッフルモード

ユーザの投票

コメント(3)