A senior developer needs the ability to create new IAM roles for Lambda functions. However, the security team wants to ensure the developer cannot create roles with administrative privileges. How can this be enforced?

Answer options:

Attach an IAM policy to the developer that explicitly denies the AdministratorAccess policy.

Use an IAM permissions boundary to restrict the maximum permissions the developer can grant.

Use AWS Organizations SCPs to restrict the developer's IAM user.

Require MFA for all IAM role creation.

How to approach this question

When delegating IAM creation while restricting maximum permissions, use Permissions Boundaries.

Full Answer

B.Use an IAM permissions boundary to restrict the maximum permissions the developer can grant.✓ Correct

Use an IAM permissions boundary.

An IAM permissions boundary is an advanced feature that allows you to use a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. This safely allows developers to create roles without escalating privileges.

Common mistakes

Confusing SCPs (account level) with Permissions Boundaries (entity level).

Question 17 All questions Question 19

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...Easy Q02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Medium Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium

View all 65 questions →