Q58 — AWS DOP-C02 Ch.1

Question 58 of 100 | ← Chapter 1

A developer is creating a proof of concept for a new software service (SaaS) application. The application resides in a shared development AWS account, which is part of an organization in AWS Organizations. The developer needs to create IAM roles related to AWS services under consideration for the proof of concept. The solution must grant only the ability to create and configure service-related roles. Which solution meets these requirements?

Correct Answer: D. Create an IAM role with necessary IAM permissions allowing the developer to create policies and roles. Attach a permissions boundary to the role. Grant the developer permission to assume this role.

Explanation

This question tests AWS IAM permission management and permissions boundaries. AWS permissions boundaries limit the maximum permissions an entity (e.g., a role) can have, ensuring users cannot exceed those limits—even if granted broader policy permissions. Option D creates an IAM role with required IAM permissions and attaches a permissions boundary, enabling the developer to create and configure roles within defined constraints. Other options either grant excessive permissions (B), broadly restrict access across the account (C), or introduce unnecessary complexity (A). AWS documentation explicitly recommends permissions boundaries for delegating role creation while enforcing security and compliance.