Q72 — AWS DOP-C02 Ch.3
Question 72 of 100 | ← Chapter 3
A company uses an AWS Cloud Development Kit (AWS CDK) application to manage its infrastructure. The AWS CDK application creates AWS Lambda functions and associated IAM roles. The company follows organizational security standards. Developers can assume the IAM roles deployed by the AWS CDK application.
- A. Create a Service Control Policy (SCP) denying IAM:CreateRole and IAM:UpdateRole actions for developer roles and the AWS CDK application deployment role. Centrally create new IAM roles to attach to Lambda functions and grant developers access to use them.
- B. Create an IAM permissions boundary policy. Define the maximum required actions for the AWS CDK application in the policy. Update the account’s AWS CDK bootstrap to use the permissions boundary. Update the AWS CDK application configuration to use this policy as the default permissions boundary. ✓
- C. Create an IAM permissions boundary policy. Define the maximum required actions for the AWS CDK application in the policy. Instruct developers to specify the permissions boundary policy name when creating roles in the AWS CDK application code.
- D. Create a Service Control Policy (SCP) denying IAM:CreateRole and IAM:UpdateRole actions for developer roles. Grant the AWS CDK deployment role permission to create roles associated with Lambda functions. Run AWS Identity and Access Management Access Analyzer to validate that Lambda function roles have no excessive permissions.
Correct Answer: B. Create an IAM permissions boundary policy. Define the maximum required actions for the AWS CDK application in the policy. Update the account’s AWS CDK bootstrap to use the permissions boundary. Update the AWS CDK application configuration to use this policy as the default permissions boundary.
Explanation
The issue involves over-permissioned IAM roles created by AWS CDK and developers assuming excessive privileges. Permissions boundaries are the recommended mechanism to cap maximum permissions for IAM entities. An IAM permissions boundary sets an upper limit on permissions, overriding any more permissive policies attached to the entity. Option B defines a boundary policy specifying the CDK application’s maximum required permissions, updates the CDK bootstrap to enforce it, and configures the CDK application to use it by default—ensuring all newly created roles inherit the boundary automatically. This eliminates manual effort per role (unlike Option C) and avoids overly broad SCPs (Options A and D) that hinder operational flexibility. Option B aligns with AWS best practices for least-privilege enforcement with minimal operational overhead.