exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 503 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 503
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1,000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.

The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
  • B. Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
  • C. Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.
  • D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Raphaello
1 year, 4 months ago
Selected Answer: D
C is fine, but does not solve the issue of app teams provisioning of roles and preventing privs escalation. Where as by deploying the appropriate SCP's and permissions boundaries, app teams assuming certain roles can create other roles and being safe from privs. escalation. D.
upvoted 1 times
...
yorkicurke
1 year, 6 months ago
Selected Answer: C
By putting each AWS account in its own OU and adding an SCP to each OU, you’re effectively limiting the scope of IAM roles that can be created within each account, as they can only access the services specified in the SCP.
upvoted 1 times
...
kejam
1 year, 7 months ago
Selected Answer: D
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html#access_policies_boundaries-delegate
upvoted 2 times
...
cloudenthusiast
2 years, 1 month ago
Selected Answer: D
The solution that will meet the requirements with the least operational overhead is: D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles. By implementing an SCP (Service Control Policy) and a permissions boundary, you can control and limit the scope of IAM roles while allowing application teams to provision their own roles. The SCP applied to the root Organizational Unit (OU) ensures that only roles with the specified permissions boundary can create new IAM roles. This provides a level of control and prevents privilege escalation.
upvoted 3 times
samCarson
2 years ago
Thanks Chatgpt!
upvoted 1 times
...
Salah21
1 year, 8 months ago
I don't get it, how would you configure them to allow only the roles that have the permissions boundary attached to create any new IAM roles? Both SCPs and permission boundaries are restrictive! If an IAM entity (user or role) make a request, it is affected by an SCP, a permissions boundary, and an identity-based policy. In this case, the request is allowed only if all three policy types allow it. How would you configure the SCP and the permission boundary in this case to have the desired outcome !? I'm starting to believe that the answer might be B
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...