AWS Certified Security – Specialty (SCS-C02) — Question 61

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account.
When the security engineer attempts to assign the permission set to an IAM Identity Center user who has access to multiple accounts, the assignment fails.
What should the security engineer do to resolve this failure?

Answer options

• A. Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account.
• B. Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user.
• C. Evaluate the logic of the AWS managed policy and the customer managed policy. Resolve any policy conflicts in the permission set before deployment.
• D. Do not add the new permission set to the user. Instead, edit the user's existing permission set to include the AWS managed policy and the customer managed policy.

Correct answer: A

Explanation

The correct answer is A because AWS requires that customer managed policies be created individually in each account where they are referenced in a permission set. Option B is incorrect as separating the policies into different permission sets does not resolve the issue. Option C does not address the root cause of the failure, which is related to the customer managed policy's scope. Option D is also incorrect as it does not solve the need for the customer managed policy in each account.