A security engineer must develop an AWS Identity and Access Management (IAM) strategy for…

Question

A security engineer must develop an AWS Identity and Access Management (IAM) strategy for a company's organization in AWS Organizations. The company needs to give developers autonomy to develop and test their applications on AWS, but the company also needs to implement security guardrails to help protect itself. The company creates and distributes applications with different levels of data classification and types. The solution must maximize scalability. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Accepted Answer

Correct answer: A, C, D. A. Create an SCP to restrict access to highly privileged or unauthorized actions to specific IAM principals. Assign the SCP to the appropriate AWS accounts. — C. Create a delegated IAM role that has capabilities to create other IAM roles. Use the delegated IAM role to provision IAM principals by following the principle of least privilege. — D. Create OUs based on data classification and type. Add the AWS accounts to the appropriate OU. Provide developers access to the AWS accounts based on business need. — Using OUs structured by data classification (Option D) and applying SCPs (Option A) provides a highly scalable way to enforce security guardrails at the account level. Allowing developers to create roles via a delegated IAM role (Option C) grants them operational autonomy while keeping permissions within safe, predefined boundaries. Other options like IAM groups containing roles (Option E) are technically invalid, and managing individual IAM policies per account (Option F) does not scale effectively.

AWS Certified Security – Specialty — Question 425

Answer options

Correct answer: A, C, D

Explanation