Q38 — AWS DOP-C02 Ch.3
Question 38 of 100 | ← Chapter 3
A company hosts a security audit application in an AWS account. The audit application uses IAM roles to access other AWS accounts. All target accounts reside in the same organization within AWS Organizations. A recent security audit revealed that users in the audited AWS accounts can modify or delete the IAM roles used by the audit application. The company needs to prevent any entity other than trusted administrator IAM roles from modifying the audit application’s IAM roles. Which solution meets these requirements?
- A. Create an SCP containing a Deny statement targeting IAM role modifications for the audit application. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root. ✓
- B. Create an SCP containing an Allow statement permitting trusted administrator IAM roles to modify the audit application’s IAM roles. Include Deny statements for all other IAM principals attempting such modifications. Attach the SCP to the IAM service in each AWS account where the audit application has IAM roles.
- C. Create an IAM permissions boundary containing a Deny statement targeting IAM role modifications for the audit application. Include a condition allowing changes by trusted administrator IAM roles. Attach the permissions boundary to the audited AWS accounts.
- D. Create an IAM permissions boundary containing a Deny statement targeting IAM role modifications for the audit application. Include a condition allowing changes by trusted administrator IAM roles. Attach the permissions boundary to the IAM roles used by the audit application in the AWS account.
Correct Answer: A. Create an SCP containing a Deny statement targeting IAM role modifications for the audit application. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root.
Explanation
SCP (Service Control Policy) is the optimal method for restricting permissions at the organization level. In this scenario, it is used to restrict modifications to IAM roles used by the audit application while still permitting trusted administrators to make changes. Options C and D are ineffective because IAM permissions boundaries apply to IAM entities (users, groups, and roles), not accounts themselves, and must be applied to all relevant IAM entities in the account.