AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
A company operates a security auditing application within an AWS account that utilizes an IAM role to access resources across multiple AWS accounts within the same AWS Organization. A recent security audit identified a vulnerability where users in the audited accounts could potentially modify or delete the IAM role of the auditing application. To enhance security, the company requires a solution that prevents any alterations to the auditing application's IAM role, except by a designated trusted administrator IAM role. Which of the following solutions would effectively address this security requirement?
A company operates a security auditing application within an AWS account that utilizes an IAM role to access resources across multiple AWS accounts within the same AWS Organization. A recent security audit identified a vulnerability where users in the audited accounts could potentially modify or delete the IAM role of the auditing application. To enhance security, the company requires a solution that prevents any alterations to the auditing application's IAM role, except by a designated trusted administrator IAM role. Which of the following solutions would effectively address this security requirement?
Explanation:
The correct answer is A. Using Service Control Policies (SCPs) at the organizational level is the most effective way to enforce IAM policies that restrict or deny permissions. Creating an SCP that includes a Deny statement for changes to the auditing application's IAM role and including a condition to allow only the trusted administrator IAM role to make changes ensures that no other users can modify or delete the role. Attaching the SCP to the root of the organization means that the policy applies to all accounts within the organization. Options C and D are less effective because IAM permissions boundaries are applied to IAM entities (users, groups, and roles) and are not suitable for restricting access at the account level. Therefore, option A is the best solution.