Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 270 discussion

For B see this: https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/ For D: compare the two policies AWSSSODirectoryAdministrator does not grant managment of permission sets F: makes sure that the IAM team has the necessary permissions within their designated account

A ensures that the IAM team operates within their own account, isolating their permissions and activities from the Organizations management account. D provides the IAM team with the necessary permissions to manage IAM Identity Center across member accounts, without granting broader access. *Note that AWSSSODirectoryAdministrator policy grants broader permissions than necessary F. ensures that the IAM team has the necessary permissions within their designated account B. "The IAM team must not be able to gain unneeded access to the Organizations management account" => So B is wrong C contradicting the principle of least privilege. E should be avoided to prevent the IAM team from gaining unneeded access.

Selected Answer: BDF

BDF are correct

Really helpful https://www.youtube.com/watch?v=aXqRKlvK160

B. It's required to enable AWS IAM Identity Center in the Management Account and later delegate administration of AWS IAM Identity Center to a specific member account where the IAM team operates. D. To meet the requirements of the IAM team needing to provision new IAM Identity Center permission sets and assignments for existing and new member accounts, while ensuring they do not gain unneeded access to the Organizations management account, you should use the `AWSSSOMemberAccountAdministrator` policy. This policy provides the necessary permissions to manage AWS SSO settings and assignments within member accounts without granting full administrative access to the AWS SSO directory. F. The IAM roles or users must be created in the delegated member account for the IAM team to prevent the IAM team from gaining unneeded access.

B D F is correct. You enable the Identity Center in the management account first, not in the new account. For assignment, you need AWSSSOMemberAccountAdministrator, not AWSSSODirectoryAdministrator.

C for sure. The AWSSSOMemberAccountAdministrator policy provides required administrative actions to principals. The policy is intended for principals who perform the job role of an IAM Identity Center administrator. https://docs.aws.amazon.com/singlesignon/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSSSOMemberAccountAdministrator

Option B: Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. Register the new account as a delegated administrator for IAM Identity Center. This ensures that the IAM team can manage IAM Identity Center without gaining access to the Organizations management account. Option C: In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set and attach the AWSSSODirectoryAdministrator managed IAM policy to the group. This allows the IAM team to provision new permission sets and assignments for member accounts. Option F: Assign the permission set to the new AWS account. Allow the IAM team group to use the permission set. This ensures that the IAM team can effectively manage IAM Identity Center in their dedicated account.

I go for ADF Option A: This option creates a new account for IAM Identity Center management, separating it from the Organizations management account. This helps in maintaining the principle of least privilege and ensures that IAM Identity Center management is handled without direct access to broader organizational settings. Option D: The AWSSSOMemberAccountAdministrator policy provides comprehensive IAM Identity Center permissions needed for provisioning new permission sets and assignments across member accounts. This policy aligns well with the requirement to manage IAM Identity Center with full administrative capabilities. (Require to manage new and all member accounts)

AWSSSODirectoryAdministrator policy better AWSSSOMasterAccountAdministrator gives too much permissions https://docs.aws.amazon.com/singlesignon/latest/userguide/security-iam-awsmanpol.html B also because you want to enabled AWS IAM IDC in the management account and delegate administration to the IAM account

---> ADF

B - This step is correct because it enables IAM Identity Center in the management account (which is necessary) and then delegates administration to a separate account for the IAM team. This approach follows the principle of least privilege by not giving the IAM team unnecessary access to the management account. C - This step is correct because it sets up the necessary users and groups in IAM Identity Center and assigns the appropriate permissions. The AWSSSODirectoryAdministrator policy provides the necessary permissions to manage IAM Identity Center without granting excessive privileges. F - This step completes the setup by assigning the permission set to the new account created for the IAM team, allowing them to perform their duties within that account rather than in the management account.