AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company has an AWS Organization with a Dev OU that contains more than 50 sandbox accounts. Project leads in those accounts must be able to create and manage IAM roles for their micro-services. Security has mandated that any new role must never obtain permissions outside Amazon S3 and Amazon DynamoDB, and this guardrail must apply automatically to future roles without requiring manual review. The solution must impose the least ongoing operational effort while still letting project leads create and update their own roles.
Which approach meets these requirements?
Attach an SCP to the Dev OU that allows only S3 and DynamoDB service actions for every principal in the member accounts, then permit project leads to create roles without additional controls.
Enable IAM Access Analyzer in each account and invoke an AWS Lambda function through EventBridge to delete any role whose policy includes actions outside S3 and DynamoDB.
Require all role creation requests to pass through a central AWS CloudFormation pipeline that is manually reviewed and approved by the security team before deployment.
Create a customer-managed policy that permits only Amazon S3 and DynamoDB actions, designate it as a permissions boundary, and apply an Organizations SCP to the Dev OU that denies iam:CreateRole unless that permissions boundary is specified.
A permissions boundary sets the maximum permissions that a principal can ever receive. By creating a customer-managed policy that allows only S3 and DynamoDB actions and requiring that policy to be attached as a permissions boundary, every role the project leads create is automatically constrained. An Organizations SCP that denies iam:CreateRole (and related IAM modification actions) unless the iam:PermissionsBoundary condition equals that policy enforces use of the boundary during role creation. This combination prevents overly permissive roles up front and scales across all existing and future roles with very little operational overhead.
The other options fail to achieve the same goal or add significant overhead:
An SCP that allows only S3 and DynamoDB actions would block other necessary services for the entire accounts and require frequent updates when new services are needed.
IAM Access Analyzer plus remediation is reactive, not preventive, and still requires custom automation and monitoring.
A central manual review pipeline meets the requirement but adds substantial operational burden and delays.
Therefore, attaching a permissions boundary and enforcing its use with an SCP is the best solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a permissions boundary in AWS IAM?
Open an interactive chat with Bash
How do AWS Organizations Service Control Policies (SCPs) work?
Open an interactive chat with Bash
Why isn’t a central pipeline or reactive monitoring a good solution here?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .