DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C02 Exam - Question 11

An ecommerce company has chosen AWS to host its new platform. The company's DevOps team has started building an AWS Control Tower landing zone. The DevOps team has set the identity store within AWS IAM Identity Center (AWS Single Sign-On) to external identity provider (IdP) and has configured SAML 2.0.

The DevOps team wants a robust permission model that applies the principle of least privilege. The model must allow the team to build and manage only the team's own resources.

Which combination of steps will meet these requirements? (Choose three.)

Show Answer
Correct Answer: BCF

To meet the requirements of creating a robust permission model that supports least privilege and allows the DevOps team to manage only their own resources, one should start by creating permission sets in AWS IAM Identity Center. These permission sets can include policies that define necessary permissions and use the aws:PrincipalTag condition key to control access based on identity attributes. Secondly, groups should be created in the identity provider (IdP), with users placed within these groups. These groups are then assigned to accounts and permission sets in IAM Identity Center to manage access control efficiently. Lastly, enabling attributes for access control in IAM Identity Center and mapping these attributes from the IdP as key-value pairs ensures that permissions are appropriately scoped based on user attributes, thereby adhering to the principle of least privilege.

Discussion

14 comments
Sign in to comment
bcxOptions: BCF
May 30, 2023

I would go with BCF. I cannot make a large comment on why but manage an identity center setup at work and find that these are the correct ones IMHO. Your IdP has attributes, not tags, ou have to rely on the IdP's attributes for instance. And you work with permission sets almost always, so the three answers about the permission sets make the full answer. You do not use IAM directly or tags for this.

asfsdfsdfOptions: BCF
Apr 6, 2023

This is clearly stated here: https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/ Answers are: BCF - permissions sets + IDP attributes mapping + groups For example a user with IDP attribute of Dep/hr will be able to delete instances with this specific tag

habrosOptions: BCF
Jul 4, 2023

Example if I use IdP as my group, and I add users to the group, then my users will be onboarded via the SCIM method. IAM roles does not apply to Control Tower landing zone. Hence B and C is secured (only permission sets for AWS SSO) Does not make sense granting RBAC via tags…

Aja1
Aug 6, 2023

An inline policy is a policy created for a single IAM identity (a user, group, or role). Inline policies maintain a strict one-to-one relationship between a policy and an identity A permission set is a template that you create and maintain that defines a collection of one or more IAM policies.

Aja1
Aug 6, 2023

IAM Identity Center helps you securely create, or connect, your workforce identities and manage their access centrally across AWS accounts and applications Attribute mappings are used to map attribute types that exist in IAM Identity Center with like attributes in an AWS Managed Microsoft AD directory. IAM Identity Center retrieves user attributes from your Microsoft AD directory and maps them to IAM Identity Center user attributes. These IAM Identity Center user attribute mappings are also used for generating SAML assertions for your cloud applications.

madperroOptions: BCF
Jun 8, 2023

BCF https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html

eleOptions: BCF
Apr 7, 2023

agree, BCF - permissions sets + IDP attributes mapping + groups

alce2020
Apr 15, 2023

ill go with B,C,F

ParagSanyashivOptions: BCF
May 8, 2023

BCF makes more sense here.

habros
Jul 4, 2023

https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html

lqpO_Oqpl
Apr 5, 2023

A, C, E

Rick365Options: BCF
May 31, 2023

I beleive BCF

SafranboluLokumu
Nov 29, 2023

correct answer seen as A-B-C. but 11 people sure the correct answer is B-C-F in discussion. What is the answer? Can the system show the correct answer as wrong or are people mistaken?

davdan99
Jan 5, 2024

The examTopics answers in most cases are wrong, please read discussions, and references that users provide

ajeeshb
Jul 1, 2024

Then why do people pay the fee for access, I dont understand. If it is from a discussion the people have to understand the answer (that too not very sure), why do they charge so much for the contributor access?!

thanhnv142
Jan 28, 2024

B, C, E seem more accurate: B- need to attach the policy so that it can be usable. A is not true because IAM policies is not the same as in IAM Identity Center C- not D because cannot assign group to IAM policies. IAM policies is attached to groups. also, need permission sets in Identity Center E- attributes is basically tagging.

zijo
Feb 22, 2024

Permission sets are stored in IAM Identity Center. So you know all answers that mention about permission sets and IAM Identity Center are likely correct

GomerOptions: BCF
May 24, 2024

While I have no great insights or expertise in this area, I do know how to read (RTFM) and quasi-solve the puzzle in my head. This reference URL (pdf) seems to touch all the steps listed in "B", "C", "F" and showed some extra steps not listed. Search and see for yourself. https://d1.awsstatic.com/events/aws-reinforce-2022/IAM309_Designing-a-well-architected-identity-and-access-management-solution.pdf

Gomer
May 24, 2024

Also, I might add, rather than just memorize the most votes answer to the question, I'd suggest actually going out to do some research and taking some long term notes you can reference later. That may take more time, but you also be more competent at work, and maybe keep your job longer. I love the fact that exam topics gives a forum to discuss and research complex questions and share findings. It's pretty lame If you come here to just memorize answers long enough to pass an exam.