A company operates a security auditing application within an AWS account that utilizes an IAM role to access resources across multiple AWS accounts within the same AWS Organization. A recent security audit identified a vulnerability where users in the audited accounts could potentially modify or delete the IAM role of the auditing application. To enhance security, the company requires a solution that prevents any alterations to the auditing application's IAM role, except by a designated trusted administrator IAM role. Which of the following solutions would effectively address this security requirement?

Exam-Like

Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization.

100.0%

Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.

0.0%

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.

0.0%

Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.

0.0%

AWS Certified DevOps Engineer - Professional

Get started today

Comments