Q51 — AWS SCS-C02 Ch.1
Question 51 of 100 | ← Chapter 1
A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1,000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly. The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation. Which solution will meet these requirements with the LEAST operational overhead?
- A. Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
- B. Delegate application team leads to provision IAM roles for each team. Conduct a quarterly review of the IAM roles the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.
- C. Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions in the AWS account of each team.
- D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles. ✓
Correct Answer: D. Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.
Explanation
AWS Organizations结合Service Control Policies (SCP)和权限边界(Permissions Boundary)可实现集中管理IAM角色创建权限的同时限制权限范围。SCP作用于整个OU层级,可强制要求所有IAM角色必须附带特定权限边界,确保创建的角色不会超出预设的最大权限(权限边界定义了角色能授予的最大权限)。此方案无需为每个团队单独配置策略,仅在根OU应用统一的SCP,所有子账户继承策略,符合最小操作开销。选项D通过SCP全局限制,权限边界约束具体角色权限,既允许自助创建,又防止权限升级。其他选项或依赖人工管理(A、B),或需维护大量OU策略(C),运维成本更高。