SCS-C02 Question #16: Real Exam Question with Answer & Explanation

Question

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign- On) to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account. When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails. What should the security engineer do to resolve this failure?

Options

• ACreate the customer managed policy in every account where the permission set is assigned. Give
• BRemove either the AWS managed policy or the customer managed policy from the permission
• CEvaluate the logic of the AWS managed policy and the customer managed policy. Resolve any
• DDo not add the new permission set to the user. Instead, edit the user's existing permission set to

Explanation

https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocmp.html Before you assign your permission set with IAM policies, you must prepare your member account. The name of an IAM policy in your member account must be a case-sensitive match to name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account.

No community discussion yet for this question.