ExpertAWS SAP-C02 · Question 50 · Domain 1.2: Security Controls
An organization is using AWS Organizations. They want to ensure that any new IAM user created in any member account automatically has a permissions boundary attached. If the boundary is not attached, the creation should fail. How can this be enforced centrally?
An organization is using AWS Organizations. They want to ensure that any new IAM user created in any member account automatically has a permissions boundary attached. If the boundary is not attached, the creation should fail. How can this be enforced centrally?
Answer options:
Use AWS Config to detect users without the boundary and trigger an SSM Automation to attach it.
Create a Service Control Policy (SCP) that denies the iam:CreateUser action unless the aws:PermissionsBoundary condition key is present and matches the required boundary ARN.
Attach an IAM policy to the root user of the management account.
Use AWS CloudTrail to monitor user creation and send an SNS alert.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2
75 questions · hints · full answers · grading