exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 41 discussion

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.
When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.
What should the security engineer do to resolve this failure?

  • A. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.
  • B. Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.
  • C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.
  • D. Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
pupsik
Highly Voted 1 year, 1 month ago
Selected Answer: A
https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html#:~:text=When%20you%20create%20a%20permission%20set%20with%20a%20customer%20managed%20policy%2C%20you%20must%20create%20an%20IAM%20policy%20with%20the%20same%20name%20and%20path%20in%20each%20AWS%20account%20where%20IAM%20Identity%20Center%20assigns%20your%20permission%20set.
upvoted 8 times
...
[Removed]
Highly Voted 1 year ago
Selected Answer: A
Give this a read y'all. Answer indeed is A. You must create the CMP in each account unlike the AWS Managed Policies https://aws.amazon.com/blogs/security/how-to-use-customer-managed-policies-in-aws-single-sign-on-for-advanced-use-cases/#:~:text=Configure%20an%20IAM%20Identity%20Center%20permission%20set%20to%20use%20a%20CMP
upvoted 6 times
...
IPLogic
Most Recent 2 days, 4 hours ago
Selected Answer: A
To resolve the issue of the permission set assignment failure in AWS IAM Identity Center, the security engineer should follow option A: Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account. This approach ensures that the customer managed policy is available in all the accounts where the permission set is being assigned, which is necessary for the assignment to succeed. By having the same policy name and permissions in each account, the security engineer can ensure consistency and avoid any conflicts that might arise from missing or mismatched policies
upvoted 1 times
...
TenaciousD
3 months, 2 weeks ago
Definitely A - Key word = 'custom permission set" - https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html
upvoted 1 times
...
arvehisa
9 months ago
Selected Answer: A
The correcto answer is A. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html#permissionsetscmpconcept When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each AWS account where IAM Identity Center assigns your permission set.
upvoted 1 times
...
walter_white_008
9 months, 2 weeks ago
Selected Answer: C
Answer is C. Dont blindly accept the answer selected by most of the people, it may be wrong sometimes. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html IAM Identity Center assigns access to a user or group in one or more AWS accounts with permission sets. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. Solve the policy conflicts as per option C and you are good.
upvoted 1 times
...
NoCrapEva
10 months ago
Selected Answer: A
Answer C - does not resolve the failure - It will only highlight where the issue is.. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html "You can attach customer managed policies to your permission set. Customer managed policies are IAM policies in your account that you create and maintain. In contrast, AWS managed policies are IAM policies in your account that AWS maintains. You can assign an customer managed policy as permissions for the role that IAM Identity Center creates, or as a permissions boundary. When you create a permission set with a customer managed policy, you must create an IAM policy with the same name and path in each AWS account where IAM Identity Center assigns your permission set. If you are specifying a custom path, make sure to specify the same path in each AWS account. For more information, see Friendly names and paths in the IAM User Guide. IAM Identity Center attaches the IAM policy to the IAM role that it creates in your AWS account."
upvoted 1 times
...
Raphaello
10 months ago
Selected Answer: A
Identity Center's permission set actually creates IAM role in the target (member) AWS accounts. Therefore, when you include a customer managed policy into a permission set, you need to make sure that the member accounts recognize the customer managed policy, by creating the policy and giving it same name in every AWS member acocunt. Answer is A.
upvoted 1 times
...
mynickc
10 months, 3 weeks ago
Selected Answer: C
Answer is C. Because, when you assign a permissionset via the identity center; it automatically creates IAM controlled role in all the org. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html
upvoted 1 times
...
Daniel76
1 year ago
Selected Answer: A
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocmp.html "Before you assign your permission set with IAM policies, you must prepare your member account. The name of an IAM policy in your member account must be a case-sensitive match to name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account."
upvoted 3 times
...
AWSvad
1 year ago
The correct answer is: C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment. In this scenario, the assignment of the permission set to an IAM Identity Center user is failing, indicating a potential conflict between the AWS managed policy and the customer managed policy. It is important to review and evaluate the logic of both policies and resolve any conflicts before deploying the permission set. Options A and B suggest alternative actions but do not directly address the issue of policy conflicts. Option A involves creating the customer managed policy in every account, which may not resolve the underlying problem. Option B suggests removing either the AWS managed policy or the customer managed policy, which may not be the most appropriate solution. Option D suggests editing the user's existing permission set, but it does not address the potential conflicts between the AWS managed policy and the customer managed policy. Therefore, option C is the most appropriate choice to resolve the issue by thoroughly evaluating and resolving policy conflicts in the permission set before deployment. - ChatGPT
upvoted 2 times
alexleely
11 months, 1 week ago
The correct answer is: A. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account. Explanation: When using IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts across multiple accounts, and attaching a customer managed policy to a permission set, it's essential to create the corresponding IAM policy with the same name and permissions in each AWS account where the permission set is assigned. This ensures consistency and avoids issues during the assignment process. Option A aligns with this requirement by recommending the creation of the customer managed policy in every account where the permission set is assigned, with the same name and permissions. This approach helps in maintaining uniformity across accounts and resolving the assignment failure. Options B, C, and D do not directly address the need to create the customer managed policy in each account or ensure consistency across accounts, making option A the appropriate solution in this scenario. - ChatGPT
upvoted 1 times
...
...
kejam
1 year ago
Selected Answer: C
Answer C Not A: AWS IAM Identity Center enables you to centrally manage permissions across multiple AWS accounts without configuring each account manually. https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html Not B: You can assign more than one permission set to a user. https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html Not D: A custom permission set can use up to 10 AWS managed or customer managed policies. https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html
upvoted 1 times
...
ahrentom
1 year, 1 month ago
Selected Answer: C
I would go with C here, seems to be the most logical anwser
upvoted 3 times
ahrentom
1 year ago
have to correct me, the right one here is A
upvoted 3 times
mynickc
10 months, 3 weeks ago
when you're using permissionset you don't need to create the customer managed policy in every org manually. so its C
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...