Exam DOP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 270

A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM).

The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On). The IAM team must have only the minimum needed permissions to manage IAM Identity Center. The IAM team must not be able to gain unneeded access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for existing and new member accounts.

Which combination of steps will meet these requirements? (Choose three.)

    Correct Answer: A, D, F

    To meet the requirements, the IAM team should be isolated from the management account while still being able to manage IAM Identity Center. First, create a new AWS account for the IAM team and register this account as a delegated administrator for IAM Identity Center, which ensures the team operates within their own account (A). Next, in IAM Identity Center, create users and a group for the IAM team and attach the AWSSSOMemberAccountAdministrator managed IAM policy to the group. This provides the necessary permissions to manage IAM Identity Center without granting broader access (D). Lastly, assign the permission set to the new AWS account and allow the IAM team group to use the permission set, ensuring they have control only within their designated account (F).

Discussion
tgvOptions: ADF

---> ADF

trungtdOptions: ADF

A ensures that the IAM team operates within their own account, isolating their permissions and activities from the Organizations management account. D provides the IAM team with the necessary permissions to manage IAM Identity Center across member accounts, without granting broader access. *Note that AWSSSODirectoryAdministrator policy grants broader permissions than necessary F. ensures that the IAM team has the necessary permissions within their designated account B. "The IAM team must not be able to gain unneeded access to the Organizations management account" => So B is wrong C contradicting the principle of least privilege. E should be avoided to prevent the IAM team from gaining unneeded access.

TEC1Options: BCF

B - This step is correct because it enables IAM Identity Center in the management account (which is necessary) and then delegates administration to a separate account for the IAM team. This approach follows the principle of least privilege by not giving the IAM team unnecessary access to the management account. C - This step is correct because it sets up the necessary users and groups in IAM Identity Center and assigns the appropriate permissions. The AWSSSODirectoryAdministrator policy provides the necessary permissions to manage IAM Identity Center without granting excessive privileges. F - This step completes the setup by assigning the permission set to the new account created for the IAM team, allowing them to perform their duties within that account rather than in the management account.