Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 3 Question 62 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 62
Topic #: 3
[All SCS-C01 Questions]

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.

The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

Show Suggested Answer Hide Answer
Suggested Answer: D

To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:

Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles. For more information, see Service control policies overview.

Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. For more information, see Permissions boundaries for IAM entities.

Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization. This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.

Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.

This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.

The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible .

Verified Reference:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html


Contribute your Thoughts:

Malcom
5 months ago
Option C? More like 'See ya later, operational overhead!' Putting each account in its own OU? That's overkill, even for a company with 1,000 accounts.
upvoted 0 times
...
Audry
5 months ago
Option A is way too complicated. Provisioning IAM users for each team member? No thanks, I'll pass on that headache.
upvoted 0 times
Eva
4 months ago
I agree, Option B seems more efficient and less complicated than Option A.
upvoted 0 times
...
Rebbeca
4 months ago
Option B sounds like a good solution. Letting the application team leads handle IAM roles could speed up the process.
upvoted 0 times
...
...
Jestine
6 months ago
Option B sounds like a recipe for disaster. Quarterly reviews? Really? Who has time for that?
upvoted 0 times
...
Luann
6 months ago
Option D is definitely the most elegant solution. Gotta love that permissions boundary, it's like a superpower for your IAM roles!
upvoted 0 times
...
Marla
6 months ago
I like how Option D uses the combination of SCP and permissions boundary to limit the scope of IAM roles. Seems like a good way to balance security and flexibility.
upvoted 0 times
Albina
5 months ago
It's a smart way to balance security and flexibility, especially when dealing with a large number of AWS accounts.
upvoted 0 times
...
Geoffrey
5 months ago
I agree. Using an SCP and permissions boundary can help ensure that only the necessary permissions are granted for creating IAM roles.
upvoted 0 times
...
Jody
5 months ago
It's definitely a smart way to handle the situation. It's important to have measures in place to ensure security while also allowing for efficient provisioning of IAM roles.
upvoted 0 times
...
Terrilyn
5 months ago
I agree. Using an SCP and permissions boundary can help prevent privilege escalation while still allowing teams to provision their own IAM roles.
upvoted 0 times
...
Shala
5 months ago
Option D does seem like a good solution. It's important to have that balance between security and flexibility.
upvoted 0 times
...
Kimberely
5 months ago
Option D does seem like a good solution. It's important to limit the scope of IAM roles to prevent privilege escalation.
upvoted 0 times
...
...
Ernie
6 months ago
I agree with Elinore. Option D seems like the most efficient way to handle the situation.
upvoted 0 times
...
Elinore
6 months ago
I think option D is the best solution. It limits the scope of IAM roles and prevents privilege escalation.
upvoted 0 times
...
Fidelia
7 months ago
Option D seems like the way to go. It's the most streamlined approach and provides the required controls to prevent privilege escalation.
upvoted 0 times
Lawanda
5 months ago
A) Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
upvoted 0 times
...
Lashaun
5 months ago
D) Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
upvoted 0 times
...
Emile
6 months ago
I agree, having an SCP and permissions boundary for IAM roles will help streamline the process and ensure security measures are in place.
upvoted 0 times
...
Linette
6 months ago
Option D does seem like a good choice. It's important to have controls in place to prevent privilege escalation.
upvoted 0 times
...
Willis
6 months ago
Yeah, option D will definitely help streamline the process and prevent any privilege escalation issues.
upvoted 0 times
...
Jonell
6 months ago
I agree, option D seems like the most efficient solution.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77