ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization hosts a microservices workload in a single AWS account. Developers push code to an AWS CodeCommit repository, AWS CodeBuild compiles the artifacts, and AWS CodeDeploy releases them to production. A recent audit mandates that individuals who write code must not be able to promote it to production. Which solution best enforces this segregation of duties using only native AWS capabilities?
Use one least-privileged IAM role for both development and deployment, but mandate MFA and strong passwords for every pipeline action.
Attach AdministratorAccess policy to all developers but require CodeCommit pull-request reviews before merging to the production branch.
Define two IAM roles: a Developer role allowed to push to CodeCommit and invoke CodeBuild, and a ReleaseManager role allowed only to approve a Manual Approval action placed between the build and deploy stages in CodePipeline. Team members assume only their designated role.
Enable AWS CloudTrail and Amazon GuardDuty to detect and alert on any unauthorized deployment events after they occur.
Segregation of duties is achieved by ensuring that the person who creates or changes code cannot by themselves place that code into production. Inserting a Manual Approval action in AWS CodePipeline and assigning that action's permissions to a separate IAM role reserved for release managers cleanly separates build and deployment responsibilities. Options that give developers AdministratorAccess, rely solely on peer review, use one shared role with MFA, or depend only on detective controls such as CloudTrail and GuardDuty do not provide the required preventative separation because developers would still be able to deploy or there would be no enforcing control at the deployment gate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM, and why is it important in AWS?
Open an interactive chat with Bash
What is AWS CodePipeline, and how does Manual Approval work within it?
Open an interactive chat with Bash
How do GuardDuty and CloudTrail differ from preventive controls like IAM roles in AWS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .