Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 476 discussion

Option B is incorrect because IAM roles are not directly attached to IAM groups.

Agreed with C https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html Attaching a policy to an IAM user group

"Manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources." "An IAM role is an identity within your AWS account that has specific permissions. It's similar to an IAM user, but isn't associated with a specific person." "IAM roles do not have any permanent credentials associated with them and are instead assumed by IAM users, AWS services, or applications that need temporary security credentials to access AWS resources"

create role=for resource like EC2 and lambda .... create a Policy =for groups or user access policy for the resources like S3 bucket

Not A or D because this is not about restricting maximum permissions, it is is about securely granting permissions Not B because IAM roles are not attached to IAM groups. C because IAM policies are attached to IAM groups.

A is wrong SCPs are mainly used along with AWS Organizations organizational units (OUs). SCPs do not replace IAM Policies such that they do not provide actual permissions. To perform an action, you would still need to grant appropriate IAM Policy permissions.

Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups

An IAM policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Permissions in the policies determine whether a request is allowed or denied. You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. So, option B will also work. But Since I can only choose one, C would be it.

You can attach up to 10 IAM policy for a 'user group'.

C is the correct one.

should be b