ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 208 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 208
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company has provided an externally hosted third-party vendor product with access to the company's AWS account. The vendor product performs various AWS actions in the AWS account and requires various IAM permissions. The company granted the access by creating an IAM user, associating IAM policies and inserting the IAM user credentials into the vendor product.

A security review reveals that the vendor’s access is overly permissive. The company wants to apply the principle of least privilege and wants to continue giving the vendor permissions to perform only the actions that the vendor has performed in the last 6 months.

Which solution will meet these requirements with the LEAST effort?

  • A. Use AWS Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s AWS CloudTrail history. Replace the IAM user policy with the newly generated policy.
  • B. Use AWS Identity and Access Management Access Analyzer to generate a new IAM policy based on the IAM user’s AWS CloudTrail history. Attach the newly generated policy as a permissions boundary to the IAM user.
  • C. Use AWS Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Replace the IAM user policy with the newly generated policy.
  • D. Use AWS Identity and Access Management Access Analyzer to discover the last accessed information for the IAM user and to create a new IAM policy that allows only the services and actions that the last accessed review identified. Attach the newly generated policy as a permissions boundary to the IAM user.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by CloudFloater at March 1, 2023, 8:08 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
stalos
2 years, 2 months ago
All of them are more or less OK - but the answer is B - the easiest solution (A is also OK but if existing policy is used by other users/systems - can bring more work)
upvoted 2 times
...
SHoKMaSTeR
2 years, 2 months ago
Selected Answer: B
Both A and B could work, but B is the least effort, it limits the current permissions and does not replace them with a new policy with a narrower scope.
upvoted 1 times
...
Mark1000
2 years, 2 months ago
B is correct I had marked A, because it is between A or B; but because I have not taken into account that the history of cloudtrail activities must be limited precisely because the permissions are too many at first; therefore it is necessary to limit, and as CloudFloater has indicated, the correct answer is B.
upvoted 1 times
...
saeidp
2 years, 2 months ago
Selected Answer: B
B makes more sense than others
upvoted 1 times
...
saeidp
2 years, 2 months ago
B makes more sense than others
upvoted 1 times
...
CloudFloater
2 years, 2 months ago
Selected Answer: B
Option A: Policy based on CloudTrail history. Option B: Policy boundary based on CloudTrail. Option C: Policy based on last access. Option D: Policy boundary based on last access.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago