Home › Forums › AWS › AWS Certified Solutions Architect Professional › Review Set 5 – excute IAM actions for supervisory role
Tagged: #awsorganization, IAMPermissionPolicy, SCP
-
Review Set 5 – excute IAM actions for supervisory role
Irene-TutorialsDojo updated 3 months, 2 weeks ago 2 Members · 4 Posts -
Category: CSAP – Design Solutions for Organizational Complexity.
Q “A digital services provider manages many AWS accounts via AWS Organizations. The company’s policy mandates that only personnel in supervisory roles can execute IAM actions. However, the cloud manager, who is responsible for doing this task, doesn’t have access to all the AWS accounts.What would be the most effective approach to implement this policy with minimal administrative effort?”
This question first says the company wants to mandate “only supervisory roles can execute IAM actions” (-> SCP) , follows by ” the cloud manager doesn’t have access to all the AWS accounts” (-> IAM Permissions).
The answer options (select ONE):
- Implement AWS Service Control Policies (SCPs) at the root Organizational Unit (OU) level that deny all non-supervisory roles from executing IAM actions
- Use IAM permissions boundaries to restrict IAM actions to supervisory roles
- Assign AWS Service Control Policies (SCPs) directly to individual IAM users in each AWS account
- Use AWS Identity and Access Management (IAM) to create a single IAM role with the necessary permissions and assign this role to all supervisory personnel across all AWS accounts.
I can’t figure out if the question is asking about implementing SCP so that “only supervisors can execute IAM actions” or resolving IAM permission problem so “manager role can execute IAM actions” in the organization” ??? What is the intent of the question – SCP or IAM permissions??
-
Hi AudreyST,
Thank you for reaching out with your question. The primary focus of the question is to implement a policy restricting IAM actions to supervisory levels across all AWS accounts in your organization. While the scenario specifies a cloud manager who lacks access to all accounts, the main difficulty is enforcing IAM limitations for non-supervisory jobs across the corporation.
AWS Service Control Policies (SCPs) are the preferred method to do this effectively. SCPs enable you to centrally manage and enforce permissions for all accounts in an AWS Organization. Applying a SCP at the root Organizational Unit (OU) level allows you to effectively block IAM actions to non-supervisory roles across the company.
In summary, while the IAM permissions for the cloud manager are included in the scenario, the question’s main goal is to guide you toward using SCPs to build the appropriate policy for supervisory roles.
Please let us know if you have any further questions or need additional assistance!
Cheers,
Irene @ Tutorials Dojo
-
This is odd – I submitted my reply and it disappeared! Reposting:
Hi Irene, the point is the question reads to me as there are 2 issues (SCP & IAM permissions) then asks for a single-option choice answer, without clearly stating which of the 2 issues it is looking for an answer. A SCP policy alone won’t solve the permission issue, and vice versa.
Please consider reframing the question is an unambiguous manner – to up hold the high quality standards of TD products that TD customers are used to.
Thank you.
-
Hi AudreyST,
Thank you for sharing your feedback. You’re right that the initial question could be interpreted as addressing two different issues—SCP enforcement and IAM permissions—without clearly stating which one it’s focusing on. We’ve reviewed the question and made updates to ensure it’s unambiguous and maintains the quality TD products are known for.
We’ll make sure these changes are reflected on the portal as well. Your keen eye for detail is much appreciated, and we’re grateful for your commitment to maintaining the quality of our content.
Thanks again for your valuable input!
Cheers,
Irene @ Tutorials Dojo
-
-
Log in to reply.