Q38 — AWS DOP-C02 Ch.3

Question 38 of 100 | ← Chapter 3

A company hosts a security audit application in an AWS account. The audit application uses IAM roles to access other AWS accounts. All target accounts reside in the same organization within AWS Organizations. A recent security audit revealed that users in the audited AWS accounts can modify or delete the IAM roles used by the audit application. The company needs to prevent any entity other than trusted administrator IAM roles from modifying the audit application’s IAM roles. Which solution meets these requirements?

Correct Answer: A. Create an SCP containing a Deny statement targeting IAM role modifications for the audit application. Include a condition allowing changes by trusted administrator IAM roles. Attach the SCP to the organization root.

Explanation

SCP (Service Control Policy) is the optimal method for restricting permissions at the organization level. In this scenario, it is used to restrict modifications to IAM roles used by the audit application while still permitting trusted administrators to make changes. Options C and D are ineffective because IAM permissions boundaries apply to IAM entities (users, groups, and roles), not accounts themselves, and must be applied to all relevant IAM entities in the account.