AWS Certified Security – Specialty (SCS-C02) — Question 269

A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across teams.

A security engineer needs to implement a solution to logically group together the IAM roles of each team. The solution must allow only the platform team to delegate IAM permissions to AWS services.

Which solution will meet these requirements?

Answer options

• A. Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team.
• B. Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team.
• C. Apply different tags for each team to the IAM policies. Deploy an SCP that denies the iam:PassRole permission to all entities except the policies of the platform team.
• D. Set up an IAM path with the IAM roles for each team. Use IAM permissions boundaries to deny the sts:AssumeRole permission to the IAM roles for the product team and the security team.

Correct answer: A

Explanation

IAM paths are the standard way to logically group IAM roles and resources for different organizational units or teams. The iam:PassRole permission is the specific mechanism used to delegate permissions to AWS services, making an SCP that restricts iam:PassRole to only the platform team's path the correct solution. Options targeting sts:AssumeRole or using resource tags do not properly address the delegation of permissions to AWS services or the logical grouping requirements.