A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations.
The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only.
Which solution will meet these requirements?
Creating an IAM role with the necessary IAM access and attaching a permissions boundary ensures that the developer can create and configure service-linked IAM roles without exceeding their intended level of access. This approach maintains a balance between granting necessary permissions and adhering to the principle of least privilege, ensuring security while fulfilling the requirements.
---> D
D - is more granular since it provides the right balance of granting necessary permissions while maintaining security and following the principle of least privilege. It allows the developer to create and configure service-linked roles as needed for the proof of concept, while the permissions boundary ensures that they can't exceed their intended level of access.
A. This approach involves creating a user in the management account and setting up cross-account roles, which adds unnecessary complexity and potential security risks. B. PowerUserAccess managed policy provides broad permissions that go beyond just creating and configuring service-linked roles. This approach does not meet the requirement to restrict the developer's capabilities specifically to service-linked role management. C. SCPs are used to set permission guardrails at the organizational or account level, but they do not grant permissions. They are used to restrict actions, and configuring an SCP with a deny rule for iam:* would likely prevent the developer from performing necessary actions D effectively meets the requirements