Q58 — AWS DOP-C02 Ch.1
Question 58 of 100 | ← Chapter 1
A developer is creating a proof of concept for a new software service (SaaS) application. The application resides in a shared development AWS account, which is part of an organization in AWS Organizations. The developer needs to create IAM roles related to AWS services under consideration for the proof of concept. The solution must grant only the ability to create and configure service-related roles. Which solution meets these requirements?
- A. Create an IAM user for the developer in the organization’s management account. Configure a cross-account role for the developer in the development account. Scope the cross-account role to common tasks.
- B. Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account.
- C. Add a Service Control Policy (SCP) in the organization’s development account. Configure the SCP with a deny rule for iam:* to restrict the developer’s access.
- D. Create an IAM role with necessary IAM permissions allowing the developer to create policies and roles. Attach a permissions boundary to the role. Grant the developer permission to assume this role. ✓
Correct Answer: D. Create an IAM role with necessary IAM permissions allowing the developer to create policies and roles. Attach a permissions boundary to the role. Grant the developer permission to assume this role.
Explanation
This question tests AWS IAM permission management and permissions boundaries. AWS permissions boundaries limit the maximum permissions an entity (e.g., a role) can have, ensuring users cannot exceed those limits—even if granted broader policy permissions. Option D creates an IAM role with required IAM permissions and attaches a permissions boundary, enabling the developer to create and configure roles within defined constraints. Other options either grant excessive permissions (B), broadly restrict access across the account (C), or introduce unnecessary complexity (A). AWS documentation explicitly recommends permissions boundaries for delegating role creation while enforcing security and compliance.