SAP-C02 · Question #727
SAP-C02 Question #727: Real Exam Question with Answer & Explanation
The correct answer is C: Create an SCP that applies to all the AWS accounts to deny IAM actions for all users except for. To restrict IAM actions to only administrator roles across all AWS accounts in an Organization with least operational overhead, a Service Control Policy (SCP) that denies IAM actions for all users except administrators is the most effective solution. This centrally enforced polic
Question
A company uses AWS Organizations to manage its AWS accounts. A solutions architect must design a solution in which only administrator roles are allowed to use IAM actions. However, the solutions architect does not have access to all the AWS accounts throughout the company. Which solution meets these requirements with the LEAST operational overhead?
Options
- ACreate an SCP that applies to all the AWS accounts to allow IAM actions only for administrator
- BConfigure AWS CloudTrail to invoke an AWS Lambda function for each event that is related to
- CCreate an SCP that applies to all the AWS accounts to deny IAM actions for all users except for
- DSet an IAM permissions boundary that allows IAM actions. Attach the permissions boundary to
Explanation
To restrict IAM actions to only administrator roles across all AWS accounts in an Organization with least operational overhead, a Service Control Policy (SCP) that denies IAM actions for all users except administrators is the most effective solution. This centrally enforced policy overrides individual account IAM policies, providing robust control.
Common mistakes.
- A. An SCP that allows IAM actions only for administrators is less effective for restriction than an explicit deny, as implicit denies from other SCPs or IAM policies might still be in effect, or it might not override overly permissive IAM policies within accounts.
- B. Using CloudTrail with Lambda is a reactive solution that detects unauthorized actions after they occur, rather than proactively preventing them, and incurs higher operational overhead for development and maintenance.
- D. IAM permissions boundaries are applied to individual IAM entities within each account, requiring per-account access and significant operational overhead, which contradicts the requirement for centralized control and minimal management.
Concept tested. AWS Organizations Service Control Policies (SCPs)
Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
Community Discussion
No community discussion yet for this question.