ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 167 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 167
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's Security Engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is assigned additional permissions based on IAM group membership.
What should the Security Engineer do to meet these requirements?

  • A. Create an Inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user.
  • B. Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy.
  • C. Create an IAM group with an attached policy that allows for Amazon EC2 access. Associate the contractor's IAM account with the IAM group.
  • D. Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by JackLee1 at Aug. 29, 2020, 4:14 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DanMuniz
Highly Voted 3 years, 9 months ago
B https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html#:~:text=A%20permissions%20boundary%20is%20an,policies%20and%20its%20permissions%20boundaries.
upvoted 9 times
...
YouYouYou
Highly Voted 3 years, 5 months ago
Create an IAM role that allows for EC2 and explicitly denies all other services. Instruct the contractor to always assume this role. the only way you can mitigate future wider permissions is by allowing what you want and explicitly disallow anything else the only solution that does that is D D correct answer.
upvoted 7 times
...
jamesf
Most Recent 10 months, 1 week ago
Selected Answer: B
Go for B keywords: "even if the IAM account is assigned additional permissions based on IAM group membership"
upvoted 1 times
...
hro
1 year, 3 months ago
B - D is eliminated because of security issues and insider threat scenarios.
upvoted 1 times
...
Raphaello
1 year, 4 months ago
Selected Answer: B
Add permissions boundary to the IAM user, setting the maximum permissions user can get, in this case only EC2. B is correct.
upvoted 1 times
...
Salah21
1 year, 8 months ago
Selected Answer: D
B is incorrect because the answer says "apply it to the contractor's IAM account". It did not say to the role he's assuming and you can't apply a permission boundary to a whole AWS account as far as I know. However, with D, the explicit denies will always trump over an allow so D answers both criteria : EC2 access + no other services allowed
upvoted 2 times
...
Jonfernz
3 years, 1 month ago
Selected Answer: B
AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
upvoted 3 times
...
acloudguru
3 years, 7 months ago
easy question, hope I can have it in my exam, B
upvoted 2 times
...
freddyman
3 years, 9 months ago
Agree it's B. A simpler way would be to create a policy that grants EC2 but denies everything else, as an explicit deny always wins over any other permission. The standard use case for permission boundaries is allowing a user to create other users, but giving those users only limited permissions.
upvoted 3 times
Kdosec
3 years, 8 months ago
You idea is very confused with this point "A simpler way would be to create a policy that grants EC2 but denies everything else". the requirement need to restrict EC2 instance access only, and other AWS services are prohibited. It is correct. So, A is correct as well. The question didn't provide enough information.
upvoted 1 times
...
...
PeppaPig
3 years, 9 months ago
B is correct
upvoted 2 times
...
JackLee1
3 years, 9 months ago
Answer is B https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel