AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 206

A cloud team uses AWS Organizations and AWS IAM Identity Center (AWS Single Sign-On) to manage a company's AWS accounts. The company recently established a research team. The research team requires the ability to fully manage the resources in its account. The research team must not be able to create IAM users.

The cloud team creates a Research Administrator permission set in IAM Identity Center for the research team. The permission set has the AdministratorAccess AWS managed policy attached. The cloud team must ensure that no one on the research team can create IAM users.

Which solution will meet these requirements?

Answer options

• A. Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.
• B. Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.
• C. Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team's AWS account.
• D. Create an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.

Correct answer: C

Explanation

The correct answer is C because Service Control Policies (SCPs) can be used to restrict actions at the account level, preventing any IAM user creation within the research team's AWS account. Options A and B do not effectively restrict IAM user creation since policies attached to permission sets do not override SCPs. Option D introduces unnecessary complexity by using Lambda to delete users after they are created, rather than preventing their creation in the first place.