AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 310

A company uses AWS Organizations to manage hundreds of AWS accounts. The company has a team that is responsible for AWS Identity and Access Management (IAM).

The IAM team wants to implement AWS IAM Identity Center. The IAM team must have only the minimum required permissions to manage IAM Identity Center. The IAM team must not be able to gain unnecessary access to the Organizations management account. The IAM team must be able to provision new IAM Identity Center permission sets and assignments for new and existing member accounts.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create a new AWS account for the IAM team. Enable IAM Identity Center in the new account. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
• B. Create a new AWS account for the IAM team. Enable IAM Identity Center in the Organizations management account. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.
• C. Create an SCP in Organizations. Create a new OU for the Organizations management account, and link the new SCP to the OU. Configure the SCP to deny all access to IAM Identity Center.
• D. Create IAM users and an IAM group for the IAM team in IAM Identity Center. Add the users to the group. Create a new permission set. Attach the AWSSSOMemberAccountAdministrator managed IAM policy to the group.
• E. Assign the new permission set to the Organizations management account. Allow the IAM team's group to use the permission set.
• F. Assign the new permission set to the new AWS account. Allow the IAM team's group to use the permission set.

Correct answer: B, D, F

Explanation

Enabling AWS IAM Identity Center in the Organizations management account and setting up a delegated administrator account (Option B) allows IAM administration to be managed outside of the management account. Utilizing the AWSSSOMemberAccountAdministrator policy (Option D) provides the specific least-privilege permissions needed to manage permission sets and assignments for member accounts. Finally, assigning this permission set to the IAM team's dedicated account (Option F) keeps the administrators isolated in their own environment, preventing unauthorized access to the root management account.