DOP-C02 · Question #244
DOP-C02 Question #244: Real Exam Question with Answer & Explanation
The correct answer is D: Create an IAM role that has the necessary IAM access to allow the developer to create policies. Explanation Option D is correct because creating a dedicated IAM role with only the necessary IAM permissions to create and configure service-linked roles follows the principle of least privilege - granting the developer exactly what they need (e.g., iam:CreateServiceLinkedRole)
Question
A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations. The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only. Which solution will meet these requirements?
Options
- ACreate an IAM user for the developer in the organization's management account. Configure a
- BAdd the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM
- CAdd an SCP to the development account in Organizations. Configure the SCP with a Deny rule
- DCreate an IAM role that has the necessary IAM access to allow the developer to create policies
Explanation
Explanation
Option D is correct because creating a dedicated IAM role with only the necessary IAM permissions to create and configure service-linked roles follows the principle of least privilege - granting the developer exactly what they need (e.g., iam:CreateServiceLinkedRole) without excessive access. This is the most targeted and secure approach for the shared development account.
Why the distractors are wrong:
- Option A is incorrect because placing an IAM user in the management account is unnecessary and overly risky - the work is in the shared development account, and the management account should be tightly restricted.
- Option B is incorrect because
PowerUserAccessgrants broad permissions across nearly all AWS services, far exceeding what's needed just to create service-linked roles - violating least privilege. - Option C is incorrect because an SCP with a Deny rule would restrict actions, not grant the developer the ability to create service-linked roles; SCPs alone cannot grant permissions.
Memory Tip: Think "Least Privilege = Laser Focus" - when a question asks for a solution scoped to only a specific task, the correct answer almost always involves a custom IAM role/policy with precisely the required permissions, not broad managed policies or organization-level controls.
Topics
Community Discussion
No community discussion yet for this question.