DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C02 Exam - Question 215

A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

Which solution will meet these requirements?

Show Answer
Correct Answer: C

To ensure the research team cannot create IAM users under any circumstance within their AWS account, an effective solution is to establish an SCP (Service Control Policy) that explicitly denies the iam:CreateUser action. SCPs are intended to enforce restrictions across all identities within an AWS account, ensuring no one can bypass this policy. This method circumvents potential vulnerabilities inherent in IAM policies assigned to roles or users, which could be insufficient as users with adequate permissions could modify or bypass the restrictions. By attaching the SCP to the research team's account, comprehensive control is applied, effectively meeting the requirement.

Discussion

11 comments
Sign in to comment
CloudHellOption: C
Mar 16, 2024

It's C for me, here is a link with a similar scenario: https://asecure.cloud/a/scp_deny_iam_user_creation_w_exception/

tristan_07Option: C
Apr 4, 2024

C is the answer. IAM policy is not as scalable or centralized as using an SCP. You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

dkpOption: C
Apr 13, 2024

While IAM policies can deny actions, they are typically attached to individual users or roles. In this scenario, you want to restrict user creation across the entire research team's account, making an SCP the more appropriate choice.

rkddkwlrkwhgdkOption: A
Mar 28, 2024

SCP can be applied to an OU. Therefore, the answer is A.

HayLLlHuK
Apr 11, 2024

You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

c3518fcOption: C
Apr 26, 2024

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

seetptOption: C
May 2, 2024

C for me

that1guyOption: A
May 17, 2024

A, only the research team shouldn't be able to create IAM users.

ogerberOption: A
Mar 27, 2024

Its A, when you attach the SCP no one will be able to create new user not just the team

c3518fc
Apr 26, 2024

isn't that what is required?

WhyIronManOption: A
Mar 30, 2024

A is the correct option since you can not apply SCP directly to an AWS Account (need to be OU)

HayLLlHuK
Apr 11, 2024

You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

xdkonorek2Option: C
Jul 5, 2024

C, A is not enough due research team still could create iam role with that allows him to create iam user and e.g. invoke lambda that does it for him obviously unwanted implication is that no one in this account can create IAM users even admins, but still it fulfills the requirements

tgvOption: A
Jul 18, 2024

I'll go for A as the question says: "The cloud team must ensure that no one on the research team can create IAM users." C will block everybody (not just the research team)

tgv
Jul 18, 2024

even thoguh xdkonorek2 has a valid point. just flip a coin if you get this question in the exam