Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam DOP-C01 Topic 2 Question 89 Discussion

Actual exam question for Amazon's DOP-C01 exam
Question #: 89
Topic #: 2
[All DOP-C01 Questions]

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: B

by Edna at Apr 09, 2024, 05:53 AM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Samira
6 months ago
I see your points, but I think option C might work too by using Amazon EventBridge for monitoring and enforcement.
upvoted 0 times
...
Stefania
6 months ago
I disagree, I believe option A is better as it specifically denies the creation of access keys, which is more aligned with the requirement.
upvoted 0 times
...
Maryann
6 months ago
I think option B is the answer because it explicitly denies IAM user creation for those not on the exception list.
upvoted 0 times
...
Odette
6 months ago
That's a good point, but option C) might also work by using Lambda functions to check the exception list before creating a new user.
upvoted 0 times
...
Viola
6 months ago
I prefer option A) as well, it seems more straightforward and easier to implement.
upvoted 0 times
...
Truman
7 months ago
I disagree, I believe option A) is better because it focuses on denying access key creation which is more critical for security.
upvoted 0 times
...
Odette
7 months ago
I think option B) would be the best solution, it explicitly denies creating new IAM users based on the exception list.
upvoted 0 times
...
Chuck
8 months ago
That's a good point. Option A does seem like the most reliable and straightforward solution. It's also more preventative than the EventBridge approach, which could still allow some unauthorized users to be created before they're deleted.
upvoted 0 times
...
Pok
8 months ago
Can we just agree that any solution involving deleting users after the fact is a terrible idea? That's like trying to catch a speeding bullet with your bare hands.
upvoted 0 times
Pete
7 months ago
F: Absolutely, it's all about setting up the right policies from the start to avoid unnecessary cleanup tasks later on.
upvoted 0 times
...
Ronald
8 months ago
E: B) Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.
upvoted 0 times
...
Chantell
8 months ago
D: That makes sense, preventing the issue before it occurs is definitely the way to go.
upvoted 0 times
...
Kiley
8 months ago
C: A) Attach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.
upvoted 0 times
...
Phuong
8 months ago
B: I agree, proactively blocking the creation of unauthorized users is much better than constantly having to cleanup after the fact.
upvoted 0 times
...
Cecily
8 months ago
A: B) Attach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.
upvoted 0 times
...
...
Dorsey
8 months ago
I think Option A is the way to go. By using an SCP with a condition that excludes the exception list, we can effectively block the iam:CreateAccessKey action for all non-authorized users. This way, we don't have to worry about race conditions or other potential issues.
upvoted 0 times
...
Becky
8 months ago
I don't know, guys. Wouldn't Option B be simpler since we only need to worry about creating new users, not access keys? Plus, it's more direct - no need for fancy EventBridge rules or Lambda functions.
upvoted 0 times
Moira
7 months ago
In that case, maybe Option A would be more comprehensive. It covers both creating users and access keys.
upvoted 0 times
...
Florinda
7 months ago
I see your point, but what if we also want to prevent creation of access keys for unauthorized users?
upvoted 0 times
...
Pearlene
7 months ago
Option B sounds good to me. We should just deny creating new users for those not in the exception list.
upvoted 0 times
...
...
Dick
8 months ago
I agree, this is a complex scenario. We need to make sure the solution not only meets the requirements but also doesn't introduce any unintended consequences.
upvoted 0 times
...
Dottie
8 months ago
This question is a bit tricky. We need to carefully consider the requirements and the options provided to find the best solution.
upvoted 0 times
...
Norah
8 months ago
Yeah, those options are way too complicated. Why go through all that trouble when you can just use an SCP to explicitly deny the actions you don't want? I vote for Option A.
upvoted 0 times
...
Tasia
8 months ago
Ha! I like how Option C and D try to be sneaky and delete the user after they've been created. Talk about a band-aid on a bullet wound!
upvoted 0 times
...
Mertie
8 months ago
I'm not so sure about that. Option B only denies the CreateUser action, but we also need to prevent new access keys from being created. I think Option A might be a better solution since it covers both CreateUser and CreateAccessKey.
upvoted 0 times
...
Lashon
8 months ago
This question seems pretty straightforward. I think Option B is the best answer here - we need to deny IAM users from being created unless they're on an exception list, and that's exactly what this option does.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77