AWS Certified Solutions Architect – Associate (SAA-C02) — Question 500

A company wants to enforce strict security guidelines on accessing AWS Cloud resources as the company migrates production workloads from its data centers.
Company management wants all users to receive permissions according to their job roles and functions.
Which solution meets these requirements with the LEAST operational overhead?

Answer options

• A. Create an AWS Single Sign-On deployment. Connect to the on-premises Active Directory to centrally manage users and permissions across the company.
• B. Create an IAM role for each job function. Require each employee to call the sts:AssumeRole action in the AWS Management Console to perform their job role.
• C. Create individual IAM user accounts for each employee. Create an IAM policy for each job function, and attach the policy to all IAM users based on their job role.
• D. Create individual IAM user accounts for each employee. Create IAM policies for each job function. Create IAM groups, and attach associated policies to each group. Assign the IAM users to a group based on their job role.

Correct answer: D

Explanation

Utilizing IAM groups to manage permissions for multiple IAM users is an AWS best practice that significantly reduces operational overhead compared to managing permissions individually. By attaching policies to groups and placing users into those groups based on their job functions, administrators can easily scale and manage access control. Directly attaching policies to individual users (Option C) or configuring complex role assumption workflows (Option B) increases administrative complexity and the risk of configuration errors.