Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam DOP-C01 Topic 16 Question 82 Discussion

Actual exam question for Amazon's DOP-C01 exam
Question #: 82
Topic #: 16
[All DOP-C01 Questions]

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: B

by Andra at Nov 26, 2023, 04:36 PM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Cyril
8 months ago
Hmm, good point. Plus, option A requires you to explicitly exclude the exception list users, which seems a bit more complicated. Option B is a cleaner solution in my opinion.
upvoted 0 times
...
Marshall
8 months ago
Yeah, I agree. The only options that make sense are A and B. I'm leaning towards B though, since it's directly targeting the iam:CreateUser action instead of the iam:CreateAccessKey action.
upvoted 0 times
Lashawn
7 months ago
A: Sounds good, let's choose option B for this solution.
upvoted 0 times
...
Lili
8 months ago
B: Let's go with option B then.
upvoted 0 times
...
Quentin
8 months ago
B: Yeah, I see your point. But option B seems more straightforward to me.
upvoted 0 times
...
Bettyann
8 months ago
A: I think option A might work better in this case.
upvoted 0 times
...
Antione
8 months ago
B: Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.
upvoted 0 times
...
Magda
8 months ago
A: Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.
upvoted 0 times
...
...
Kendra
8 months ago
Okay, let's think this through. We need to prevent IAM users from being created unless the user is on an exception list, right? So that rules out options C and D, since they're deleting the user after the fact.
upvoted 0 times
...
Daniela
8 months ago
Haha, this question is tricky! I wonder how many people are going to get it wrong and try to use a resource-based policy instead of an SCP.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77