AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 263

A developer is creating a proof of concept for a new software as a service (SaaS) application. The application is in a shared development AWS account that is part of an organization in AWS Organizations.

The developer needs to create service-linked IAM roles for the AWS services that are being considered for the proof of concept. The solution needs to give the developer the ability to create and configure the service-linked roles only.

Which solution will meet these requirements?

Answer options

• A. Create an IAM user for the developer in the organization's management account. Configure a cross-account role in the development account for the developer to use. Limit the scope of the cross-account role to common services.
• B. Add the developer to an IAM group. Attach the PowerUserAccess managed policy to the IAM group. Enforce multi-factor authentication (MFA) on the user account.
• C. Add an SCP to the development account in Organizations. Configure the SCP with a Deny rule for iam:* to limit the developer's access.
• D. Create an IAM role that has the necessary IAM access to allow the developer to create policies and roles. Create and attach a permissions boundary to the role. Grant the developer access to assume the role.

Correct answer: D

Explanation

The correct answer is D because it allows the developer to create the necessary service-linked IAM roles while also applying a permissions boundary to control what actions can be performed. Option A is incorrect as it involves cross-account roles which do not fulfill the requirement of allowing the developer to create roles directly. Option B is not suitable because it grants broader permissions than needed, and option C restricts access entirely, preventing the developer from creating roles.