Topic 1 Question 270

AWS Certified DevOps Engineer - Professional

Topic 1 Question 270
A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM).

The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On). The IAM team must have only the minimum needed permissions to manage IAM Identity Center. The IAM team must not be able to gain unneeded access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for existing and new member accounts.

Which combination of steps will meet these requirements?

3 つ選択
- Create a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
- Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
- In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSODirectoryAdministrator managed IAM policy to the group.
- In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSOMemberAccountAdministrator managed IAM policy to the group.
- Assign the permission set to the Organizations management account. Allow the IAM team group to use the permission set.
- Assign the permission set to the new AWS account. Allow the IAM team group to use the permission set.
ユーザの投票
コメント(12)
- 正解だと思う選択肢: ADF
  A ensures that the IAM team operates within their own account, isolating their permissions and activities from the Organizations management account. D provides the IAM team with the necessary permissions to manage IAM Identity Center across member accounts, without granting broader access. *Note that AWSSSODirectoryAdministrator policy grants broader permissions than necessary F. ensures that the IAM team has the necessary permissions within their designated account
  
  B. "The IAM team must not be able to gain unneeded access to the Organizations management account" => So B is wrong C contradicting the principle of least privilege. E should be avoided to prevent the IAM team from gaining unneeded access.
  
  👍 7
  trungtd2024/07/14
- 正解だと思う選択肢: BDF
  For B see this: https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/ For D: compare the two policies AWSSSODirectoryAdministrator does not grant managment of permission sets F: makes sure that the IAM team has the necessary permissions within their designated account
  
  👍 7
  Shenannigan2024/09/12
- 正解だと思う選択肢: ADF
  ---> ADF
  
  👍 5
  tgv2024/07/15
シャッフルモード

ユーザの投票

コメント(12)