Q13 — AWS DOP-C02 Ch.2

Question 13 of 100 | ← Chapter 2

A company uses multiple AWS accounts. The company uses AWS Toolkit for Microsoft Azure DevOps to integrate with AWS Single Sign-On (AWS SSO). Access control features are enabled in AWS SSO, and attribute mappings are configured. The department attribute is mapped to ${path:enterprise.department}, and the costCenter attribute is mapped to ${path:enterprise.costCenter}. All existing Amazon EC2 instances are tagged with a department tag corresponding to one of three company departments (d1, d2, d3). DevOps engineers want to create policies based on matching attributes. These policies must minimize administrative overhead and grant each Azure AD user access only to EC2 instances tagged with the department name matching their own department attribute. Which condition key should DevOps engineers include in a custom permissions policy to meet these requirements?

Correct Answer: C. "Condition": { "StringEquals": { "ec2:ResourceTag/department": "${aws:PrincipalTag/department}" } }

Explanation

https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/