ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 351 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 351
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an organization in AWS Organizations to manage multiple AWS accounts in a hierarchical structure. An SCP that is associated with the organization root allows IAM users to be created.

A DevOps team must be able to create IAM users with any level of permissions. Developers must also be able to create IAM users. However, developers must not be able to grant new IAM users excessive permissions. The developers have the CreateAndManageUsers role in each account. The DevOps team must be able to prevent other users from creating IAM users.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Create an SCP in the organization to deny users the ability to create and modify IAM users. Attach the SCP to the root of the organization. Attach the CreateAndManageUsers role to developers.
  • B. Create an SCP in the organization to grant users that have the DeveloperBoundary policy attached the ability to create new IAM users and to modify IAM users. Configure the SCP to require users to attach the PermissionBoundaries policy to any new IAM user. Attach the SCP to the root of the organization.
  • C. Create an IAM permissions policy named PermissionBoundaries within each account. Configure the PermissionBoundaries policy to specify the maximum permissions that a developer can grant to a new IAM user.
  • D. Create an IAM permissions policy named PermissionBoundaries within each account. Configure PermissionsBoundaries to allow users who have the PermissionBoundaries policy to create new IAM users.
  • E. Create an IAM permissions policy named DeveloperBoundary within each account. Configure the DeveloperBoundary policy to allow developers to create IAM users and to assign policies to IAM users of only if the developer includes the PermissionBoundaries policy as the permissions boundary. Attach the DeveloperBoundary policy to the CreateAndManageUsers role within each account.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by uncledana at Nov. 19, 2024, 11:39 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ky_24
Highly Voted 4 months, 1 week ago
Selected Answer: CE
1. IAM user creation: • Both the DevOps team and developers should be able to create IAM users. 2. Permissions control: • Developers should be restricted from granting excessive permissions to the IAM users they create. 3. Prevention of unauthorized IAM user creation: • Only the designated roles (DevOps and developers) should create IAM users. To achieve this, AWS Permissions Boundaries provide an effective way to enforce limits on the permissions that developers can assign
upvoted 5 times
...
Impromptu
Highly Voted 5 months ago
Selected Answer: CE
A would prevent anyone to create IAM users, so both DevOps teams and Developers cannot create IAM users. B would prevent DevOps team to create IAM users "with any level of permissions". C would create the permission boundary that defines the maximum permissions of a user created by the Developers. D does not work like that. The permission boundary would be used for preventing too many permissions on a user created by the Developers, and not for giving them user creation rights as well. E would give the Developers the permissions to create users, but would force them to also attach the permission boundary (created in C) to the new user, limiting their permissions correctly (even if the Developer would give that user too many permissions)
upvoted 5 times
...
ArunRav
Most Recent 4 months, 4 weeks ago
Selected Answer: CE
SCP in A denies the access to everyone but it doesnt explain the details about PermissionBoundaries policy used in C option. When you combine the C option with E option ie Creation of PermissionBoundaries policy to create the boundary and Creation of Developer boundary policy which allow developers to have access with boundaries mentioned in PermissionBoundaries make sense. Hence CE
upvoted 3 times
...
uncledana
5 months, 1 week ago
Selected Answer: AE
Option A provides the control at the organizational level to deny IAM user creation by non-DevOps users. • Option E ensures that developers can create users with limited permissions by enforcing Permission Boundaries, ensuring they cannot assign excessive permissions. This combination effectively meets the requirements with the least operational overhead.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago