AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
In an AWS environment utilizing AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On), a security engineer is tasked with creating a custom permission set that includes an AWS managed policy and a customer managed policy. This permission set is intended to be used across multiple AWS accounts. However, when attempting to assign this permission set to an IAM Identity Center user who has access to multiple accounts, the assignment process fails. The security engineer, who has full administrative permissions and is operating in the management account, needs to resolve this issue. What corrective action should the security engineer take to successfully assign the permission set?
Explanation:
The correct answer is A. Unlike AWS managed policies, customer managed policies need to be created in each account where the permission set is assigned. This requirement ensures that the customer managed policy is available and applied consistently across all accounts. Although AWS IAM Identity Center allows centralized management, customer managed policies must still be manually replicated to each account. Creating the customer managed policy in each account with the same name and permissions resolves the issue, enabling the assignment of the permission set to the user.