AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is expecting rapid growth in the near future. A solutions architect needs to configure existing users and grant permissions to new users on AWS. The solutions architect has decided to create IAM groups. The solutions architect will add the new users to IAM groups based on department.

Which additional action is the MOST secure way to grant permissions to the new users?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Apply service control policies (SCPs) to manage access permissions

Create IAM roles that have least privilege permission. Attach the roles to the IAM groups

Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups

Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions

Explanation:

Explanation

The correct answer is C because:

IAM Groups with Policies: IAM groups are specifically designed to manage permissions for multiple users. By creating an IAM policy with least privilege permissions and attaching it to IAM groups, you ensure that all users in those groups inherit the same permissions.
Least Privilege Principle: Creating a policy with least privilege permission ensures users only have the minimum permissions needed to perform their job functions, which is a fundamental security best practice.
Why not other options:
- A: Service Control Policies (SCPs) are used in AWS Organizations to set maximum permissions for accounts in an organization, not for managing individual user permissions within IAM.
- B: IAM roles are not attached to IAM groups. Roles are assumed by users, services, or applications, not attached to groups. This approach is incorrect.
- D: While permissions boundaries can define maximum permissions, this approach creates unnecessary complexity. Permissions boundaries are typically used for delegated administration scenarios, not for standard user permission management through groups.
Best Practice: The standard AWS security best practice is to:
- Create IAM groups based on job functions or departments
- Create IAM policies with least privilege permissions
- Attach those policies to the groups
- Add users to the appropriate groups

This approach is scalable, maintainable, and follows the principle of least privilege while leveraging AWS's built-in group management capabilities.

Powered ByGPT-5.2

Comments

Loading comments...