A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a te…

Question

A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM). The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On). The IAM team must have only the minimum needed permissions to manage IAM Identity Center. The IAM team must not be able to gain unneeded access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for existing and new member accounts. Which combination of steps will meet these requirements? (Choose three.)

Accepted Answer

Correct answer: B, D, F. B. Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center. — D. In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSOMemberAccountAdministrator managed IAM policy to the group. — F. Assign the permission set to the new AWS account. Allow the IAM team group to use the permission set. — The correct steps are B, D, and F. Option B allows the IAM team to enable IAM Identity Center without granting them access to the management account. Option D assigns the correct policy that allows the team to manage permissions for member accounts without unnecessary access. Option F ensures that the IAM team has the ability to use the permission set in their own account, which is essential for provisioning permission sets and assignments.

AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 244

Answer options

Correct answer: B, D, F

Explanation