Q72 — AWS DOP-C02 Ch.3

Question 72 of 100 | ← Chapter 3

A company uses an AWS Cloud Development Kit (AWS CDK) application to manage its infrastructure. The AWS CDK application creates AWS Lambda functions and associated IAM roles. The company follows organizational security standards. Developers can assume the IAM roles deployed by the AWS CDK application.

Correct Answer: B. Create an IAM permissions boundary policy. Define the maximum required actions for the AWS CDK application in the policy. Update the account’s AWS CDK bootstrap to use the permissions boundary. Update the AWS CDK application configuration to use this policy as the default permissions boundary.

Explanation

The issue involves over-permissioned IAM roles created by AWS CDK and developers assuming excessive privileges. Permissions boundaries are the recommended mechanism to cap maximum permissions for IAM entities. An IAM permissions boundary sets an upper limit on permissions, overriding any more permissive policies attached to the entity. Option B defines a boundary policy specifying the CDK application’s maximum required permissions, updates the CDK bootstrap to enforce it, and configures the CDK application to use it by default—ensuring all newly created roles inherit the boundary automatically. This eliminates manual effort per role (unlike Option C) and avoids overly broad SCPs (Options A and D) that hinder operational flexibility. Option B aligns with AWS best practices for least-privilege enforcement with minimal operational overhead.