Q76 — AWS DOP-C02 Ch.2

Question 76 of 100 | ← Chapter 2

A company uses AWS CodeCommit for source control. Developers commit changes to various feature branches and create pull requests to merge those changes into the main branch after approval. Developers must not push changes directly to the main branch. The company applies the AWSCodeCommitPowerUser managed policy to developers’ IAM roles, but now developers can push changes directly to the main branch in every repository in the AWS account. How should the company restrict developers from pushing changes directly to the main branch?

Correct Answer: A. Create an additional policy containing explicit Deny statements for GitPush and PutFile actions, with a condition restricting the policy to the main branch reference for specific repositories.

Explanation

To prevent direct pushes to the main branch, an explicit Deny statement targeting GitPush and PutFile actions with a condition referencing the main branch is required. IAM evaluation order dictates that explicit Deny overrides any Allow, making Option C the correct and simplest approach. Option A creates an extra policy but is less direct than modifying the existing policy. Option B incorrectly grants permission to push to main by adding Allow statements. Option D permits pushes only to feature branches but does not block pushes to main, failing to meet the requirement.