nerdexam
ExamsDOP-C02Questions#285
AmazonAmazon

DOP-C02 · Question #285

DOP-C02 Question #285: Real Exam Question with Answer & Explanation

The correct answer is A: Create a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In. To implement IAM Identity Center with minimal permissions for the IAM team and prevent unneeded access to the Organizations management account, delegate SSO administration to a new dedicated account, create a permission set for Identity Center management, and assign it to the IAM

Submitted by ricky.ec· Mar 6, 2026Security & Compliance

Question

A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM). The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On). The IAM team must have only the minimum needed permissions to manage IAM Identity Center. The IAM team must not be able to gain unneeded access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for existing and new member accounts. Which combination of steps will meet these requirements? (Choose three.)

Options

  • ACreate a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In
  • BCreate a new AWS account for the IAM team. In the Organizations management account, enable
  • CIn IAM Identity Center, create users and a group for the IAM team. Add the users to the group.
  • DIn IAM Identity Center, create users and a group for the IAM team. Add the users to the group.
  • EAssign the permission set to the Organizations management account. Allow the IAM team group
  • FAssign the permission set to the new AWS account. Allow the IAM team group to use the

Explanation

To implement IAM Identity Center with minimal permissions for the IAM team and prevent unneeded access to the Organizations management account, delegate SSO administration to a new dedicated account, create a permission set for Identity Center management, and assign it to the IAM team's group in that delegated account.

Common mistakes.

  • B. Enabling IAM Identity Center directly in the Organizations management account is not a best practice for security and would expose the Identity Center configuration to the highly privileged management account, violating the least privilege principle for the IAM team.
  • C. Creating users and groups within IAM Identity Center is a step for granting users access to resources, not for granting the IAM team administrative permissions to manage Identity Center itself.
  • E. Assigning an administrative permission set directly to the Organizations management account would give the IAM team a role in that account, potentially granting unneeded access and violating the principle of isolating SSO administration from the management account.

Concept tested. AWS Organizations, IAM Identity Center (SSO) best practices, delegated administration, least privilege

Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_abilities.html

Topics

#IAM Identity Center#AWS Organizations#least privilege#identity management

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DOP-C02 PracticeBrowse All DOP-C02 Questions