Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 270 discussion

A ensures that the IAM team operates within their own account, isolating their permissions and activities from the Organizations management account. D provides the IAM team with the necessary permissions to manage IAM Identity Center across member accounts, without granting broader access. *Note that AWSSSODirectoryAdministrator policy grants broader permissions than necessary F. ensures that the IAM team has the necessary permissions within their designated account B. "The IAM team must not be able to gain unneeded access to the Organizations management account" => So B is wrong C contradicting the principle of least privilege. E should be avoided to prevent the IAM team from gaining unneeded access.

For B see this: https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/ For D: compare the two policies AWSSSODirectoryAdministrator does not grant managment of permission sets F: makes sure that the IAM team has the necessary permissions within their designated account

Option B: Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. Register the new account as a delegated administrator for IAM Identity Center. This ensures that the IAM team can manage IAM Identity Center without gaining access to the Organizations management account. Option C: In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set and attach the AWSSSODirectoryAdministrator managed IAM policy to the group. This allows the IAM team to provision new permission sets and assignments for member accounts. Option F: Assign the permission set to the new AWS account. Allow the IAM team group to use the permission set. This ensures that the IAM team can effectively manage IAM Identity Center in their dedicated account.

Vote for ADF

I go for ADF Option A: This option creates a new account for IAM Identity Center management, separating it from the Organizations management account. This helps in maintaining the principle of least privilege and ensures that IAM Identity Center management is handled without direct access to broader organizational settings. Option D: The AWSSSOMemberAccountAdministrator policy provides comprehensive IAM Identity Center permissions needed for provisioning new permission sets and assignments across member accounts. This policy aligns well with the requirement to manage IAM Identity Center with full administrative capabilities. (Require to manage new and all member accounts)

AWSSSODirectoryAdministrator policy better AWSSSOMasterAccountAdministrator gives too much permissions https://docs.aws.amazon.com/singlesignon/latest/userguide/security-iam-awsmanpol.html B also because you want to enabled AWS IAM IDC in the management account and delegate administration to the IAM account

---> ADF

B - This step is correct because it enables IAM Identity Center in the management account (which is necessary) and then delegates administration to a separate account for the IAM team. This approach follows the principle of least privilege by not giving the IAM team unnecessary access to the management account. C - This step is correct because it sets up the necessary users and groups in IAM Identity Center and assigns the appropriate permissions. The AWSSSODirectoryAdministrator policy provides the necessary permissions to manage IAM Identity Center without granting excessive privileges. F - This step completes the setup by assigning the permission set to the new account created for the IAM team, allowing them to perform their duties within that account rather than in the management account.