DOP-C02 · Question #60
DOP-C02 Question #60: Real Exam Question with Answer & Explanation
The correct answer is A: Create an SCP that includes a Deny statement for changes to the auditing application's IAM role.. SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Op
Question
A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations. A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application's IAM role. The company needs to prevent any modification to the auditing application's IAM role by any entity other than a trusted administrator IAM role. Which solution will meet these requirements?
Options
- ACreate an SCP that includes a Deny statement for changes to the auditing application's IAM role.
- BCreate an SCP that includes an Allow statement for changes to the auditing application's IAM role
- CCreate an IAM permissions boundary that includes a Deny statement for changes to the auditing
- DCreate an IAM permissions boundary that includes a Deny statement for changes to the auditing
Explanation
SCPs (Service Control Policies) are the best way to restrict permissions at the organizational level, which in this case would be used to restrict modifications to the IAM role used by the auditing application, while still allowing trusted administrators to make changes to it. Options C and D are not as effective because IAM permission boundaries are applied to IAM entities (users, groups, and roles), not the account itself, and must be applied to all IAM entities in the account.
Topics
Community Discussion
No community discussion yet for this question.