A company uses AWS IAM Identity Center (AWS SSO) for federation. They need to grant developers read-only access to production accounts, but full access to development accounts. What is the BEST way to manage this?

Answer options:

Create IAM users in each account and assign policies.

Create Permission Sets in IAM Identity Center and assign them to the developer group for the respective accounts.

Use AWS Organizations SCPs to restrict developer access in production.

Create cross-account IAM roles and have developers assume them.

How to approach this question

Identify the authorization mechanism within IAM Identity Center.

B.Create Permission Sets in IAM Identity Center and assign them to the developer group for the respective accounts.✓ Correct

Create Permission Sets in IAM Identity Center and assign them to the developer group for the respective accounts.

Permission Sets define the level of access users or groups have to specific AWS accounts within IAM Identity Center.

Using SCPs for user-level access control.

75 questions · hints · full answers · grading