Domain 1.2: Security Controls — AWS SAP-C02 Practice Question 50

How to approach this question

Use SCPs for preventive multi-account governance.

Full Answer

B.Create a Service Control Policy (SCP) that denies the iam:CreateUser action unless the aws:PermissionsBoundary condition key is present and matches the required boundary ARN.✓ Correct

Service Control Policies (SCPs) provide central, preventive guardrails. By using a Deny statement with a StringNotEquals condition on 'aws:PermissionsBoundary', you force administrators to attach the boundary when creating users.

Common mistakes

Choosing AWS Config, which is reactive and allows the user to be created temporarily.

An organization is using AWS Organizations. They want to ensure that any new IAM user created in any member account automatically has a permissions boundary attached. If the boundary is not attached, the creation should fail. How can this be enforced centrally?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

More questions from this exam