AWS Certified DevOps Engineer - Professional

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.

The correct answer is A. Using Service Control Policies (SCPs) at the organizational level is the most effective way to enforce IAM policies that restrict or deny permissions. Creating an SCP that includes a Deny statement for changes to the auditing application's IAM role and including a condition to allow only the trusted administrator IAM role to make changes ensures that no other users can modify or delete the role. Attaching the SCP to the root of the organization means that the policy applies to all accounts within the organization. Options C and D are less effective because IAM permissions boundaries are applied to IAM entities (users, groups, and roles) and are not suitable for restricting access at the account level. Therefore, option A is the best solution.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company operates a security auditing application within an AWS account that utilizes an IAM role to access resources across multiple AWS accounts within the same AWS Organization. A recent security audit identified a vulnerability where users in the audited accounts could potentially modify or delete the IAM role of the auditing application. To enhance security, the company requires a solution that prevents any alterations to the auditing application's IAM role, except by a designated trusted administrator IAM role. Which of the following solutions would effectively address this security requirement?

Exam-Like

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.

100.0%

Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.

0.0%

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.