DOP-C02 · Question #326
DOP-C02 Question #326: Real Exam Question with Answer & Explanation
The correct answer is B: Create an IAM permission boundary policy. Define the maximum actions that the AWS CDK. A permission boundary is an advanced IAM feature that limits the maximum permissions a role or user can receive. By creating a permission boundary policy, you can ensure that the AWS CDK application and the Lambda functions it creates do not exceed the defined permissions. This e
Question
A company uses an AWS Cloud Development Kit (AWS CDK) application for its infrastructure. The AWS CDK application creates AWS Lambda functions and the IAM roles that are attached to the functions. The company also uses AWS Organizations. The company's developers can assume the AWS CDK application deployment role. The company's security team discovered that the developers and the role used to deploy the AWS CDK application have more permissions than necessary. The security team also discovered that the roles attached to the Lambda functions that the CDK application creates have more permissions than necessary. The developers must not have the ability to grant additional permissions. Which solution will meet these requirements with the LEAST operational overhead?
Options
- ACreate an SCP that denies the iam:CreateRole action and the iam:UpdateRole action for the
- BCreate an IAM permission boundary policy. Define the maximum actions that the AWS CDK
- CCreate an IAM permission boundary policy. Define the maximum actions that the AWS CDK
- DCreate an SCP that denies the iam:CreateRole action and the iam:UpdateRole action for the
Explanation
A permission boundary is an advanced IAM feature that limits the maximum permissions a role or user can receive. By creating a permission boundary policy, you can ensure that the AWS CDK application and the Lambda functions it creates do not exceed the defined permissions. This effectively limits the scope of actions that can be performed by both the developers and the roles associated with the Lambda functions. AWS CDK supports permission boundaries by allowing you to configure the CDK bootstrap environment with a permissions boundary that applies to any IAM role or policy created by the CDK application. This ensures that any role or policy created by the developers or the AWS CDK app itself is automatically constrained by the boundary, without requiring the developers to modify the code manually. This solution requires a one-time setup of the permission boundary and a change in the CDK bootstrap process, making it straightforward to implement and manage. Once configured, it enforces the desired permission restrictions consistently across all roles created by the CDK without requiring developers to handle permissions directly, which reduces errors and ensures compliance with security policies. By using IAM permission boundaries in the AWS CDK bootstrap process, you can enforce the least privilege principle for all roles created by the CDK application in an automated and scalable manner, with minimal operational overhead.
Topics
Community Discussion
No community discussion yet for this question.