ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 262 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 262
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's development team is designing an application using AWS Lambda and Amazon Elastic Container Service (Amazon ECS). The development team needs to create IAM roles to support these systems. The company's security team wants to allow the developers to build IAM roles directly, but the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for application's AWS services. The solution must minimize management overhead.
How should the security team prevent privilege escalation for both teams?

  • A. Enable AWS CloudTrail. Create a Lambda function that monitors the event history for privilege escalation events and notifies the security team.
  • B. Create a managed IAM policy for the permissions required. Reference the IAM policy as a permissions boundary within the development team's IAM role.
  • C. Enable AWS Organizations. Create an SCP that allows the iam:CreateUser action but that has a condition that prevents API calls other than those required by the development team.
  • D. Create an IAM policy with a deny on the iam:CreateUser action and assign the policy to the development team. Use a ticket system to allow the developers to request new IAM roles for their applications. The IAM roles will then be created by the security team.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by santosar at Aug. 25, 2021, 12:04 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kiev
Highly Voted 3 years, 7 months ago
B for me is the right answer and my reason is because it has i am but withy permission boundary and this still gives the security overall control of what the development team does and it also mention, Roles .
upvoted 20 times
ideoignus
3 years, 4 months ago
https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/
upvoted 2 times
...
John129087
3 years, 6 months ago
B is wrong. managed IAM policy cannot be created by users
upvoted 5 times
Balki
2 years, 6 months ago
This doesn't say it is a AWS Managed Policy. We should treat this as "Customer" managed policy
upvoted 2 times
...
Smartphone
2 years, 4 months ago
Managed IAM policy does not only mean AWS Managed IAM policy. .... one is customer managed IAM policy and other is AWS managed IAM policy. You can create your own managed policy.
upvoted 1 times
...
...
...
jtzt2003
Highly Voted 3 years, 7 months ago
The answer is B: It cannot be C, as SCPs apply to all users & roles in the account.
upvoted 8 times
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: B
Permissions boundary. Correct answer is B.
upvoted 1 times
...
Raphaello
1 year, 3 months ago
Selected Answer: B
Very poorly written question. Definitely composed by someone who's not a native English speaker ( The development team needs to create IAM roles to support these systems)! Anyways, the scenario close to what is needed to be done permissions boundary, so B is my pick.
upvoted 1 times
...
yorkicurke
1 year, 5 months ago
Selected Answer: B
Another question ambiguously worded. written by some AWS Mor*n.
upvoted 1 times
...
pal40sg
2 years ago
Selected Answer: B
B: Create a managed IAM policy for the required permissions and reference the IAM policy as a permissions boundary within the development team's IAM role. By creating a managed IAM policy, the security team can define the specific permissions required by the development team. The policy can be attached as a permissions boundary to the IAM role, ensuring that the role cannot exceed the permissions defined in the policy. This approach allows the developers to create IAM roles directly while restricting their ability to escalate privileges beyond the defined boundaries.
upvoted 1 times
...
cloud_collector
2 years, 8 months ago
Selected Answer: B
You can use permissions boundaries to delegate permissions management tasks, such as user creation, to IAM users in your account. This permits others to perform tasks on your behalf within a specific boundary of permissions. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html#access_policies_boundaries-delegate
upvoted 3 times
...
CuLeBrO
2 years, 9 months ago
Answer is C. B says "Create a managed IAM policy", users cannot create managed IAM policies, they are already created and managed by AWS.
upvoted 1 times
...
lotfi50
2 years, 11 months ago
Selected Answer: B
B is the answer
upvoted 2 times
...
Chief123
3 years, 1 month ago
It is B. The devs need to be able to create 'IAM Roles' not IAM Users so having iam:CreateUser makes no sense.
upvoted 1 times
...
hk436
3 years, 7 months ago
B is my answer, This scenario can be handled well by permission boundaries.
upvoted 4 times
...
Dhipakkumaran
3 years, 7 months ago
A is correct
upvoted 1 times
...
TollaMS
3 years, 8 months ago
C is the answer "the security team wants to retain control over the permissions the developers can delegate to those roles. The development team needs access to more permissions than those required for applicationג€™s AWS services. The solution must minimize management overhead." the security team needs central control on all account
upvoted 4 times
...
fais1985
3 years, 8 months ago
I think A or B, since C dosent seems right , since the question dosen't deal with Organisation
upvoted 1 times
...
stamford
3 years, 8 months ago
Is it B?
upvoted 4 times
...
dumma
3 years, 8 months ago
C is correct
upvoted 3 times
...
santosar
3 years, 8 months ago
C!? IS OK ?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel