ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 11 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 11
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.
The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.
Which combination of steps will meet these requirements? (Choose three.)

  • A. Create IAM policies that include the required permissions. Include the aws:PrincipalTag condition key.
  • B. Create permission sets. Attach an inline policy that includes the required permissions and uses the aws:PrincipalTag condition key to scope the permissions.
  • C. Create a group in the IdP. Place users in the group. Assign the group to accounts and the permission sets in IAM Identity Center.
  • D. Create a group in the IdP. Place users in the group. Assign the group to OUs and IAM policies.
  • E. Enable attributes for access control in IAM Identity Center. Apply tags to users. Map the tags as key-value pairs.
  • F. Enable attributes for access control in IAM Identity Center. Map attributes from the IdP as key-value pairs.
Show Suggested Answer Hide Answer
Suggested Answer: BCF 🗳️
by lqpO_Oqpl at April 5, 2023, 2:42 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
bcx
Highly Voted 2 years, 2 months ago
Selected Answer: BCF
I would go with BCF. I cannot make a large comment on why but manage an identity center setup at work and find that these are the correct ones IMHO. Your IdP has attributes, not tags, ou have to rely on the IdP's attributes for instance. And you work with permission sets almost always, so the three answers about the permission sets make the full answer. You do not use IAM directly or tags for this.
upvoted 14 times
...
asfsdfsdf
Highly Voted 2 years, 4 months ago
Selected Answer: BCF
This is clearly stated here: https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/ Answers are: BCF - permissions sets + IDP attributes mapping + groups For example a user with IDP attribute of Dep/hr will be able to delete instances with this specific tag
upvoted 6 times
...
namtp
Most Recent 1 year ago
Selected Answer: BCF
BCF is correct anwers. Permission set + group created in the IdP, and map attributes is key
upvoted 1 times
...
Gomer
1 year, 2 months ago
Selected Answer: BCF
While I have no great insights or expertise in this area, I do know how to read (RTFM) and quasi-solve the puzzle in my head. This reference URL (pdf) seems to touch all the steps listed in "B", "C", "F" and showed some extra steps not listed. Search and see for yourself. https://d1.awsstatic.com/events/aws-reinforce-2022/IAM309_Designing-a-well-architected-identity-and-access-management-solution.pdf
upvoted 1 times
Gomer
1 year, 2 months ago
Also, I might add, rather than just memorize the most votes answer to the question, I'd suggest actually going out to do some research and taking some long term notes you can reference later. That may take more time, but you also be more competent at work, and maybe keep your job longer. I love the fact that exam topics gives a forum to discuss and research complex questions and share findings. It's pretty lame If you come here to just memorize answers long enough to pass an exam.
upvoted 3 times
...
...
zijo
1 year, 6 months ago
Permission sets are stored in IAM Identity Center. So you know all answers that mention about permission sets and IAM Identity Center are likely correct
upvoted 1 times
...
thanhnv142
1 year, 6 months ago
B, C, E seem more accurate: B- need to attach the policy so that it can be usable. A is not true because IAM policies is not the same as in IAM Identity Center C- not D because cannot assign group to IAM policies. IAM policies is attached to groups. also, need permission sets in Identity Center E- attributes is basically tagging.
upvoted 1 times
...
SafranboluLokumu
1 year, 8 months ago
correct answer seen as A-B-C. but 11 people sure the correct answer is B-C-F in discussion. What is the answer? Can the system show the correct answer as wrong or are people mistaken?
upvoted 1 times
davdan99
1 year, 7 months ago
The examTopics answers in most cases are wrong, please read discussions, and references that users provide
upvoted 4 times
ajeeshb
1 year, 1 month ago
Then why do people pay the fee for access, I dont understand. If it is from a discussion the people have to understand the answer (that too not very sure), why do they charge so much for the contributor access?!
upvoted 2 times
...
...
...
habros
2 years, 1 month ago
https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html
upvoted 2 times
...
habros
2 years, 1 month ago
Selected Answer: BCF
Example if I use IdP as my group, and I add users to the group, then my users will be onboarded via the SCIM method. IAM roles does not apply to Control Tower landing zone. Hence B and C is secured (only permission sets for AWS SSO) Does not make sense granting RBAC via tags…
upvoted 5 times
Aja1
2 years ago
An inline policy is a policy created for a single IAM identity (a user, group, or role). Inline policies maintain a strict one-to-one relationship between a policy and an identity A permission set is a template that you create and maintain that defines a collection of one or more IAM policies.
upvoted 1 times
Aja1
2 years ago
IAM Identity Center helps you securely create, or connect, your workforce identities and manage their access centrally across AWS accounts and applications Attribute mappings are used to map attribute types that exist in IAM Identity Center with like attributes in an AWS Managed Microsoft AD directory. IAM Identity Center retrieves user attributes from your Microsoft AD directory and maps them to IAM Identity Center user attributes. These IAM Identity Center user attribute mappings are also used for generating SAML assertions for your cloud applications.
upvoted 1 times
...
...
...
madperro
2 years, 2 months ago
Selected Answer: BCF
BCF https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html
upvoted 4 times
...
Rick365
2 years, 2 months ago
Selected Answer: BCF
I beleive BCF
upvoted 1 times
...
ParagSanyashiv
2 years, 3 months ago
Selected Answer: BCF
BCF makes more sense here.
upvoted 2 times
...
alce2020
2 years, 4 months ago
ill go with B,C,F
upvoted 2 times
...
ele
2 years, 4 months ago
Selected Answer: BCF
agree, BCF - permissions sets + IDP attributes mapping + groups
upvoted 2 times
...
lqpO_Oqpl
2 years, 4 months ago
A, C, E
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel