AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company operates several AWS accounts managed with AWS Organizations. In the shared dev account, application teams need to create and maintain IAM roles for their Lambda functions and ECS tasks. The security team has produced a guardrail policy that grants only the following permissions:
Read access to two designated S3 buckets
Write access to one DynamoDB table
Developers must be allowed to self-service creation and updates of IAM roles only if the resulting roles never exceed the permissions in the guardrail policy, and the security team does not want to manually review each policy or role that is created.
Which solution BEST enforces the principle of least privilege while meeting these requirements?
Require developers to tag their roles with Environment=Dev and apply an ABAC policy that allows actions only when the principal and resource share the same tag.
Enable the AWS Config managed rule IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS and use an EventBridge rule to invoke a Lambda function that automatically deletes any policy marked NON_COMPLIANT.
Create a customer-managed policy that contains the approved S3 and DynamoDB permissions and designate it as a permissions boundary. Grant the developer group iam:CreateRole, iam:PutRolePolicy, and iam:AttachRolePolicy permissions only when the iam:PermissionsBoundary condition key equals the boundary policy's ARN.
Attach a service control policy to the dev account that denies iam:CreateRole for all principals except the security team, and have the security team create roles for developers on request.
Using an IAM permissions boundary provides a built-in, automatic mechanism to restrict the maximum permissions that any developer-created role can receive. By requiring the iam:PermissionsBoundary condition key to match the ARN of the security team's guardrail policy, developers can freely call iam:CreateRole, iam:PutRolePolicy, or iam:AttachRolePolicy, but the resulting roles can never exceed the boundary's scope. This satisfies least-privilege goals without any manual review.
A service control policy that blocks iam:CreateRole (choice B) forces the security team to provision every role themselves, preventing developer self-service. AWS Config remediation (choice C) detects problems after the fact and allows overly broad roles to exist until the rule is evaluated and remediated, violating the requirement for immediate enforcement. ABAC based only on Environment tags (choice D) does not stop a developer from attaching AdministratorAccess or other excessive permissions to a role; it simply constrains which resources the role may act on.
Therefore, configuring and enforcing an IAM permissions boundary is the most secure and automated approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM permissions boundary, and how does it work?
Open an interactive chat with Bash
How does a permissions boundary differ from an SCP (Service Control Policy)?
Open an interactive chat with Bash
What is the purpose of the iam:PermissionsBoundary condition key?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access