DOP-C02 · Question #311
DOP-C02 Question #311: Real Exam Question with Answer & Explanation
The correct answer is A: Create a new AWS account for the IAM team. Enable IAM Identity Center in the new account. In. By creating a new AWS account for the IAM team and enabling IAM Identity Center (formerly AWS SSO) in that account, you isolate the IAM team from the Organizations management account. This meets the requirement of ensuring that the IAM team does not have unnecessary access to the
Question
A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM). The IAM team wants to implement AWS IAM Identity Center. The IAM team must have only the minimum required permissions to manage IAM Identity Center. The IAM team must not be able to gain unnecessary access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for new and existing member accounts. Which combination of steps will meet these requirements? (Choose three.)
Options
- ACreate a new AWS account for the IAM team. Enable IAM Identity Center in the new account. In
- BCreate a new AWS account for the IAM team. Enable IAM Identity Center in the Organizations
- CCreate an SCP in Organizations. Create a new OU for the Organizations management account,
- DCreate IAM users and an IAM group for the IAM team in IAM Identity Center. Add the users to the
- EAssign the new permission set to the Organizations management account. Allow the IAM team's
- FAssign the new permission set to the new AWS account. Allow the IAM team's group to use the
Explanation
By creating a new AWS account for the IAM team and enabling IAM Identity Center (formerly AWS SSO) in that account, you isolate the IAM team from the Organizations management account. This meets the requirement of ensuring that the IAM team does not have unnecessary access to the management account, improving security. Registering the new account as a delegated administrator for IAM Identity Center allows the IAM team to manage IAM Identity Center permission sets and assignments across all the organization's member accounts without needing access to the management account. By creating IAM users and groups in IAM Identity Center, you can centrally manage access for the IAM team. Assigning the AWSSSOMemberAccountAdministrator managed policy to the group ensures that the IAM team has the necessary permissions to manage permission sets and assignments in member accounts, but not the management account itself. Assigning the permission set to the new AWS account for the IAM team ensures that the team can manage IAM Identity Center across the organization. This keeps the IAM team's permissions scoped to the new account, aligning with the requirement to minimize their access. By creating a new account and assigning delegated administrator privileges to the IAM team in that account, and by using the appropriate permission sets for managing IAM Identity Center across member accounts, this solution ensures the team has the minimum required permissions while maintaining security and operational efficiency.
Topics
Community Discussion
No community discussion yet for this question.