AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company uses Azure AD as its workforce identity provider and AWS IAM Identity Center for single sign-on to more than 50 AWS accounts that belong to one AWS Organizations organization.
Each AWS account hosts development Amazon EC2 instances for many internal projects.
Security requirements
- Developers must be able to start and stop EC2 instances only for the projects to which they are assigned.
- A developer's assigned project is stored in the
projectCodeattribute of the Azure AD user object. - New projects must be onboarded without creating additional IAM roles or permission sets.
Which approach meets these requirements with the LEAST administrative effort?
Create a separate permission set for every project that contains an inline policy with the project's hard-coded tag value, and assign developers to their project's permission set.
Create one IAM role per project in every AWS account. Configure Identity Center assignments so that developers can assume the appropriate roles, and attach an IAM policy to each role that limits start and stop actions to the project's resources.
Enable attributes for access control in IAM Identity Center, map the Azure AD
projectCodeattribute to an access-control attribute namedProjectCode, tag each EC2 instance withProjectCode=<projectCode>, and create one permission set whose IAM policy allowsec2:StartInstancesandec2:StopInstancesonly whenec2:ResourceTag/ProjectCodeequals${aws:PrincipalTag/ProjectCode}.Attach resource-based policies directly to EC2 instances that reference the
projectCodeattribute in the request context to allow or deny the start and stop actions.