Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 215 discussion

It's C for me, here is a link with a similar scenario: https://asecure.cloud/a/scp_deny_iam_user_creation_w_exception/

While IAM policies can deny actions, they are typically attached to individual users or roles. In this scenario, you want to restrict user creation across the entire research team's account, making an SCP the more appropriate choice.

A as the restriction just needs to be applied to the research team but not the whole account users

The wording is that only the research team should not be allowed to create users. This is A as the Permission Set will apply to just them. If you choose C it's an account wide deny so no other user or admins would be able to create a user which is outside the scope of the question.

IAM Policy to Deny iam:CreateUser An IAM policy is applied to individual IAM users, groups, or roles within an AWS account. Here's an example policy that denies the iam:CreateUser action: IAM Policy JSON json Copy code { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "iam:CreateUser", "Resource": "*" } ] } Steps to Attach IAM Policy to Research Administrator Permission Set: Navigate to AWS IAM Identity Center (SSO). Select the Permission Sets section. Choose the Research Administrator permission set. Attach the custom policy above to the permission set by selecting Add permissions → Custom policy.

A meets the requirements. C would deny CreateUser for all the IAM entities in the account, not only the research team

c for me

For those who selected C, why would you create ab SCP that will deny any IAM user from creating another IAM when the question clearly states only the research team shouldn't be able to create an IAM user? the deny policy will restrict only the Research Administrator permission set, which is what we want.

i go for C just make sure no one can create account scp also can create with exception as mentioned by @CloudHell

I'll go for A as the question says: "The cloud team must ensure that no one on the research team can create IAM users." C will block everybody (not just the research team)

C, A is not enough due research team still could create iam role with that allows him to create iam user and e.g. invoke lambda that does it for him obviously unwanted implication is that no one in this account can create IAM users even admins, but still it fulfills the requirements

A, only the research team shouldn't be able to create IAM users.

C for me

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

C is the answer. IAM policy is not as scalable or centralized as using an SCP. You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

A is the correct option since you can not apply SCP directly to an AWS Account (need to be OU)

SCP can be applied to an OU. Therefore, the answer is A.