ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 236 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 236
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1,000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.

The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
  • B. Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
  • C. Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.
  • D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by IPLogic at Dec. 5, 2024, 5:11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AWSLoverLoverLoverLoverLover
2 months ago
Selected Answer: D
The correct answer is D The company is rapidly scaling to 1,000+ AWS accounts and needs to delegate IAM role creation while ensuring security and preventing privilege escalation. The best approach is to use: Service Control Policies (SCPs): These apply at the organizational level in AWS Organizations to enforce security rules across all accounts. Permissions Boundaries: These ensure that even if teams create IAM roles, they cannot grant excessive permissions beyond what the security team allows. This solution meets the requirements with the least operational overhead because: ✅ Application teams can create IAM roles themselves, reducing the security team's backlog. ✅ SCPs prevent teams from overriding security policies or creating overly permissive roles. ✅ Permissions boundaries ensure IAM roles have restricted permissions, preventing privilege escalation.
upvoted 1 times
...
IPLogic
4 months, 3 weeks ago
Selected Answer: D
D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles. Service Control Policies (SCPs) and permissions boundaries are effective tools for controlling the maximum permissions an IAM role can have within an AWS Organization. By attaching an SCP to the root organizational unit (OU), you ensure that only roles with the permissions boundary can be created, which enforces strict controls on what these roles can do. This approach allows application teams to create roles within the defined boundaries, reducing the security team's workload and preventing privilege escalation.
upvoted 1 times
IPLogic
4 months, 3 weeks ago
Option A involves a more complex setup with IAM groups and individual users, which can be difficult to manage at scale, especially with a large number of accounts. Option B introduces manual oversight and periodic reviews, which can add significant operational overhead and risks if the team leads do not manage roles properly. Option C involves managing SCPs at multiple levels, which can become complex and hard to maintain as the number of accounts grows. Using SCPs and permissions boundaries (Option D) provides a scalable and automated approach to managing IAM roles, ensuring security and compliance with minimal manual intervention.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago