Topic 1 Question 351
2 つ選択A company uses an organization in AWS Organizations to manage multiple AWS accounts in a hierarchical structure. An SCP that is associated with the organization root allows IAM users to be created.
A DevOps team must be able to create IAM users with any level of permissions. Developers must also be able to create IAM users. However, developers must not be able to grant new IAM users excessive permissions. The developers have the CreateAndManageUsers role in each account. The DevOps team must be able to prevent other users from creating IAM users.
Which combination of steps will meet these requirements?
Create an SCP in the organization to deny users the ability to create and modify IAM users. Attach the SCP to the root of the organization. Attach the CreateAndManageUsers role to developers.
Create an SCP in the organization to grant users that have the DeveloperBoundary policy attached the ability to create new IAM users and to modify IAM users. Configure the SCP to require users to attach the PermissionBoundaries policy to any new IAM user. Attach the SCP to the root of the organization.
Create an IAM permissions policy named PermissionBoundaries within each account. Configure the PermissionBoundaries policy to specify the maximum permissions that a developer can grant to a new IAM user.
Create an IAM permissions policy named PermissionBoundaries within each account. Configure PermissionsBoundaries to allow users who have the PermissionBoundaries policy to create new IAM users.
Create an IAM permissions policy named DeveloperBoundary within each account. Configure the DeveloperBoundary policy to allow developers to create IAM users and to assign policies to IAM users of only if the developer includes the PermissionBoundaries policy as the permissions boundary. Attach the DeveloperBoundary policy to the CreateAndManageUsers role within each account.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: CE
A would prevent anyone to create IAM users, so both DevOps teams and Developers cannot create IAM users. B would prevent DevOps team to create IAM users "with any level of permissions". C would create the permission boundary that defines the maximum permissions of a user created by the Developers. D does not work like that. The permission boundary would be used for preventing too many permissions on a user created by the Developers, and not for giving them user creation rights as well. E would give the Developers the permissions to create users, but would force them to also attach the permission boundary (created in C) to the new user, limiting their permissions correctly (even if the Developer would give that user too many permissions)
👍 4Impromptu2024/11/24 - 正解だと思う選択肢: CE
- IAM user creation:
• Both the DevOps team and developers should be able to create IAM users.
- Permissions control: • Developers should be restricted from granting excessive permissions to the IAM users they create.
- Prevention of unauthorized IAM user creation: • Only the designated roles (DevOps and developers) should create IAM users.
To achieve this, AWS Permissions Boundaries provide an effective way to enforce limits on the permissions that developers can assign
👍 4Ky_242024/12/16 - IAM user creation:
• Both the DevOps team and developers should be able to create IAM users.
- 正解だと思う選択肢: CE
SCP in A denies the access to everyone but it doesnt explain the details about PermissionBoundaries policy used in C option. When you combine the C option with E option ie Creation of PermissionBoundaries policy to create the boundary and Creation of Developer boundary policy which allow developers to have access with boundaries mentioned in PermissionBoundaries make sense. Hence CE
👍 3ArunRav2024/11/28
シャッフルモード