Question 39

Domain 6: Security and Compliance

A company hosts a security auditing application in an AWS account. The auditing application uses an IAM role to access other AWS accounts. All the accounts are in the same organization in AWS Organizations. A recent security audit revealed that users in the audited AWS accounts could modify or delete the auditing application's IAM role. The company needs to prevent any modification to the auditing application's IAM role by any entity other than a trusted administrator IAM role. Which solution will meet these requirements?

A. Create an SCP that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the SCP to the root of the organization. B. Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role. C. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts. D. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.

Correct answer: A

Explanation

An AWS Organizations service control policy can set the maximum permissions for accounts in the organization, and a "Deny" in an SCP overrides IAM permissions. Attaching it to the root applies the restriction to all accounts, while the condition can exempt the trusted administrator IAM role so only that role can modify the auditing application's IAM role.

Why each option is right or wrong

Under AWS Organizations, a service control policy (SCP) attached at the root sets the maximum permissions for every account in the organization, and an explicit Deny in an SCP overrides any IAM allow in member accounts. By writing the Deny to cover IAM actions that change or delete the specific role and exempting only the trusted administrator IAM role via a condition, the organization blocks all other principals from modifying that role across all accounts.

B. Create an SCP that includes an Allow statement for changes to the auditing application's IAM role by the trusted administrator IAM role. Include a Deny statement for changes by all other IAM principals. Attach the SCP to the IAM service in each AWS account where the auditing application has an IAM role.

SCPs are attached to organization entities, not to an IAM service inside each account.

C. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application's IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the audited AWS accounts.

Permissions boundaries limit permissions for IAM principals, not entire AWS accounts organization-wide.

D. Create an IAM permissions boundary that includes a Deny statement for changes to the auditing application’s IAM role. Include a condition that allows the trusted administrator IAM role to make changes. Attach the permissions boundary to the auditing application's IAM role in the AWS accounts.

A permissions boundary on the target role does not stop other principals from modifying or deleting that role.

Previous Next