Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 41 discussion

https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html#:~:text=When%20you%20create%20a%20permission%20set%20with%20a%20customer%20managed%20policy%2C%20you%20must%20create%20an%20IAM%20policy%20with%20the%20same%20name%20and%20path%20in%20each%20AWS%20account%20where%20IAM%20Identity%20Center%20assigns%20your%20permission%20set.

Give this a read y'all. Answer indeed is A. You must create the CMP in each account unlike the AWS Managed Policies https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/#:~:text=Configure%20an%20IAM%20Identity%20Center%20permission%20set%20to%20use%20a%20CMP

To resolve the issue of the permission set assignment failure in AWS IAM Identity Center, the security engineer should follow option A: Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account. This approach ensures that the customer managed policy is available in all the accounts where the permission set is being assigned, which is necessary for the assignment to succeed. By having the same policy name and permissions in each account, the security engineer can ensure consistency and avoid any conflicts that might arise from missing or mismatched policies

Definitely A - Key word = 'custom permission set" - https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html

The correcto answer is A. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html#permissionsetscmpconcept When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each AWS account where IAM Identity Center assigns your permission set.

Answer is C. Dont blindly accept the answer selected by most of the people, it may be wrong sometimes. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html IAM Identity Center assigns access to a user or group in one or more AWS accounts with permission sets. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. Solve the policy conflicts as per option C and you are good.

Answer C - does not resolve the failure - It will only highlight where the issue is.. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html "You can attach customer managed policies to your permission set. Customer managed policies are IAM policies in your account that you create and maintain. In contrast, AWS managed policies are IAM policies in your account that AWS maintains. You can assign an customer managed policy as permissions for the role that IAM Identity Center creates, or as a permissions boundary. When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each AWS account where IAM Identity Center assigns your permission set. If you are specifying a custom path, make sure to specify the same path in each AWS account. For more information, see Friendly names and paths in the IAM User Guide. IAM Identity Center attaches the IAM policy to the IAM role that it creates in your AWS account."

Identity Center's permission set actually creates IAM role in the target (member) AWS accounts. Therefore, when you include a customer managed policy into a permission set, you need to make sure that the member accounts recognize the customer managed policy, by creating the policy and giving it same name in every AWS member acocunt. Answer is A.

Answer is C. Because, when you assign a permissionset via the identity center; it automatically creates IAM controlled role in all the org. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html

https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocmp.html "Before you assign your permission set with IAM policies, you must prepare your member account. The name of an IAM policy in your member account must be a case-sensitive match to name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account."

The correct answer is: C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment. In this scenario, the assignment of the permission set to an IAM Identity Center user is failing, indicating a potential conflict between the AWS managed policy and the customer managed policy. It is important to review and evaluate the logic of both policies and resolve any conflicts before deploying the permission set. Options A and B suggest alternative actions but do not directly address the issue of policy conflicts. Option A involves creating the customer managed policy in every account, which may not resolve the underlying problem. Option B suggests removing either the AWS managed policy or the customer managed policy, which may not be the most appropriate solution. Option D suggests editing the user's existing permission set, but it does not address the potential conflicts between the AWS managed policy and the customer managed policy. Therefore, option C is the most appropriate choice to resolve the issue by thoroughly evaluating and resolving policy conflicts in the permission set before deployment. - ChatGPT

Answer C Not A: AWS IAM Identity Center enables you to centrally manage permissions across multiple AWS accounts without configuring each account manually. https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html Not B: You can assign more than one permission set to a user. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html Not D: A custom permission set can use up to 10 AWS managed or customer managed policies. https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html

I would go with C here, seems to be the most logical anwser