Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 229 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 229
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations.

The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only.

Which solution will meet these requirements?

  • A. Create an IAM user for the developer in the organization's management account. Configure a cross-account role in the development account for the developer to use. Limit the scope of the cross-account role to common services.
  • B. Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account.
  • C. Add an SCP to the development account in Organizations. Configure the SCP with a Deny rule for iam:* to limit the developer's access.
  • D. Create an IAM role that has the necessary IAM access to allow the developer to create policies and roles. Create and attach a permissions boundary to the role. Grant the developer access to assume the role.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by trungtd at July 13, 2024, 11:50 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
tgv
1 month, 3 weeks ago
---> D
upvoted 1 times
...
TEC1
1 month, 3 weeks ago
Selected Answer: D
D - is more granular since it provides the right balance of granting necessary permissions while maintaining security and following the principle of least privilege. It allows the developer to create and configure service-linked roles as needed for the proof of concept, while the permissions boundary ensures that they can't exceed their intended level of access.
upvoted 3 times
...
trungtd
1 month, 3 weeks ago
Selected Answer: D
A. This approach involves creating a user in the management account and setting up cross-account roles, which adds unnecessary complexity and potential security risks. B. PowerUserAccess managed policy provides broad permissions that go beyond just creating and configuring service-linked roles. This approach does not meet the requirement to restrict the developer's capabilities specifically to service-linked role management. C. SCPs are used to set permission guardrails at the organizational or account level, but they do not grant permissions. They are used to restrict actions, and configuring an SCP with a deny rule for iam:* would likely prevent the developer from performing necessary actions D effectively meets the requirements
upvoted 3 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel