Question 24
Domain 4: Identity and Access ManagementAn AWS security architect is defining IAM permissions so that no single employee can both grant elevated access and use that access to make sensitive production changes. Which authorization design BEST enforces proper separation of duties?
Correct answer: B
Explanation
Separation of duties requires dividing sensitive capabilities among different roles so one person cannot complete all critical steps alone. In IAM design, approval or privilege-assignment actions should be distinct from execution actions. — AWS-Certified-Security-Specialty_Exam-Guide.txt
Why each option is right or wrong
A. Allow the same administrator role to assign privileged policies and perform production deployments for faster operations.
Separation of duties divides critical permissions so one role does not control all sensitive actions.
B. Create separate IAM roles so one role manages elevated access decisions and a different role performs production changes.
The source material identifies enforcing proper separation of duties as the objective. In this scenario, assigning access-management authority to one IAM role and production-change authority to another prevents a single employee from both granting elevated privileges and using them for sensitive actions.
C. Use one shared operations role for all administrators, but require a stronger password policy before production changes.
Authentication strength does not separate authorization responsibilities between different personnel or roles.
D. Grant broad production permissions to each team member, but review their activity after deployment through logging.
Detective review after the fact does not prevent one person from holding conflicting permissions.