Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 25% OFF All Practice Exams, Video Courses, & eBooks – Cyber Week Blowout Deals!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Review Set 5 – excute IAM actions for supervisory role

  • Review Set 5 – excute IAM actions for supervisory role

  • AudreyST

    Member
    August 17, 2024 at 12:39 pm

    Category: CSAP – Design Solutions for Organizational Complexity.
    Q “A digital services provider manages many AWS accounts via AWS Organizations. The company’s policy mandates that only personnel in supervisory roles can execute IAM actions. However, the cloud manager, who is responsible for doing this task, doesn’t have access to all the AWS accounts.

    What would be the most effective approach to implement this policy with minimal administrative effort?”

    This question first says the company wants to mandate “only supervisory roles can execute IAM actions” (-> SCP) , follows by ” the cloud manager doesn’t have access to all the AWS accounts” (-> IAM Permissions).

    The answer options (select ONE):

    • Implement AWS Service Control Policies (SCPs) at the root Organizational Unit (OU) level that deny all non-supervisory roles from executing IAM actions
    • Use IAM permissions boundaries to restrict IAM actions to supervisory roles
    • Assign AWS Service Control Policies (SCPs) directly to individual IAM users in each AWS account
    • Use AWS Identity and Access Management (IAM) to create a single IAM role with the necessary permissions and assign this role to all supervisory personnel across all AWS accounts.

    I can’t figure out if the question is asking about implementing SCP so that “only supervisors can execute IAM actions” or resolving IAM permission problem so “manager role can execute IAM actions” in the organization” ??? What is the intent of the question – SCP or IAM permissions??

  • Irene-TutorialsDojo

    Administrator
    August 19, 2024 at 9:10 am

    Hi AudreyST,

    Thank you for reaching out with your question. The primary focus of the question is to implement a policy restricting IAM actions to supervisory levels across all AWS accounts in your organization. While the scenario specifies a cloud manager who lacks access to all accounts, the main difficulty is enforcing IAM limitations for non-supervisory jobs across the corporation.

    AWS Service Control Policies (SCPs) are the preferred method to do this effectively. SCPs enable you to centrally manage and enforce permissions for all accounts in an AWS Organization. Applying a SCP at the root Organizational Unit (OU) level allows you to effectively block IAM actions to non-supervisory roles across the company.

    In summary, while the IAM permissions for the cloud manager are included in the scenario, the question’s main goal is to guide you toward using SCPs to build the appropriate policy for supervisory roles.

    Please let us know if you have any further questions or need additional assistance!

    Cheers,

    Irene @ Tutorials Dojo

    • AudreyST

      Member
      August 22, 2024 at 12:25 pm

      This is odd – I submitted my reply and it disappeared! Reposting:

      Hi Irene, the point is the question reads to me as there are 2 issues (SCP & IAM permissions) then asks for a single-option choice answer, without clearly stating which of the 2 issues it is looking for an answer. A SCP policy alone won’t solve the permission issue, and vice versa.

      Please consider reframing the question is an unambiguous manner – to up hold the high quality standards of TD products that TD customers are used to.

      Thank you.

      • Irene-TutorialsDojo

        Administrator
        August 23, 2024 at 9:25 am

        Hi AudreyST,

        Thank you for sharing your feedback. You’re right that the initial question could be interpreted as addressing two different issues—SCP enforcement and IAM permissions—without clearly stating which one it’s focusing on. We’ve reviewed the question and made updates to ensure it’s unambiguous and maintains the quality TD products are known for.

        We’ll make sure these changes are reflected on the portal as well. Your keen eye for detail is much appreciated, and we’re grateful for your commitment to maintaining the quality of our content.

        Thanks again for your valuable input!

        Cheers,

        Irene @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content