Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 215

A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

Which solution will meet these requirements?

Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.

Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.

Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.

Create an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.

Correct Answer: C

To ensure the research team cannot create IAM users under any circumstance within their AWS account, an effective solution is to establish an SCP (Service Control Policy) that explicitly denies the iam:CreateUser action. SCPs are intended to enforce restrictions across all identities within an AWS account, ensuring no one can bypass this policy. This method circumvents potential vulnerabilities inherent in IAM policies assigned to roles or users, which could be insufficient as users with adequate permissions could modify or bypass the restrictions. By attaching the SCP to the research team's account, comprehensive control is applied, effectively meeting the requirement.

Discussion

CloudHellOption: C

It's C for me, here is a link with a similar scenario: https://asecure.cloud/a/scp_deny_iam_user_creation_w_exception/

dkpOption: C

While IAM policies can deny actions, they are typically attached to individual users or roles. In this scenario, you want to restrict user creation across the entire research team's account, making an SCP the more appropriate choice.

tristan_07Option: C

C is the answer. IAM policy is not as scalable or centralized as using an SCP. You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

c3518fcOption: C

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

rkddkwlrkwhgdkOption: A

SCP can be applied to an OU. Therefore, the answer is A.

HayLLlHuK

You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

that1guyOption: A

A, only the research team shouldn't be able to create IAM users.

seetptOption: C

C for me

tgvOption: A

I'll go for A as the question says: "The cloud team must ensure that no one on the research team can create IAM users." C will block everybody (not just the research team)

tgv

even thoguh xdkonorek2 has a valid point. just flip a coin if you get this question in the exam

xdkonorek2Option: C

C, A is not enough due research team still could create iam role with that allows him to create iam user and e.g. invoke lambda that does it for him obviously unwanted implication is that no one in this account can create IAM users even admins, but still it fulfills the requirements

WhyIronManOption: A

A is the correct option since you can not apply SCP directly to an AWS Account (need to be OU)

HayLLlHuK

ogerberOption: A

Its A, when you attach the SCP no one will be able to create new user not just the team

c3518fc

isn't that what is required?