Q76 — AWS DOP-C02 Ch.2
Question 76 of 100 | ← Chapter 2
A company uses AWS CodeCommit for source control. Developers commit changes to various feature branches and create pull requests to merge those changes into the main branch after approval. Developers must not push changes directly to the main branch. The company applies the AWSCodeCommitPowerUser managed policy to developers’ IAM roles, but now developers can push changes directly to the main branch in every repository in the AWS account. How should the company restrict developers from pushing changes directly to the main branch?
- A. Create an additional policy containing explicit Deny statements for GitPush and PutFile actions, with a condition restricting the policy to the main branch reference for specific repositories. ✓
- B. Remove the IAM policy and attach the AWSCodeCommitReadOnly managed policy. Add Allow statements for GitPush and PutFile actions in the policy statement, with a condition restricting the policy to the main branch reference for specific repositories.
- C. Modify the IAM policy to include explicit Deny statements for GitPush and PutFile actions in the policy statement, with a condition restricting the policy to the main branch reference for specific repositories.
- D. Create an additional policy containing explicit Allow statements for GitPush and PutFile actions, with a condition restricting the policy to feature branch references for specific repositories.
Correct Answer: A. Create an additional policy containing explicit Deny statements for GitPush and PutFile actions, with a condition restricting the policy to the main branch reference for specific repositories.
Explanation
To prevent direct pushes to the main branch, an explicit Deny statement targeting GitPush and PutFile actions with a condition referencing the main branch is required. IAM evaluation order dictates that explicit Deny overrides any Allow, making Option C the correct and simplest approach. Option A creates an extra policy but is less direct than modifying the existing policy. Option B incorrectly grants permission to push to main by adding Allow statements. Option D permits pushes only to feature branches but does not block pushes to main, failing to meet the requirement.