AWS Certified Solutions Architect – Associate (SAA-C02) — Question 787

A company is expecting rapid growth in the near future. A solutions architect needs to configure existing users and grant permissions to new users on AWS. The solutions architect has decided to create IAM groups. The solutions architect will add the new users to IAM groups based on department.
Which additional action is the MOST secure way to grant permissions to the new users?

Answer options

• A. Apply service control policies (SCPs) to manage access permissions
• B. Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
• C. Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
• D. Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions

Correct answer: C

Explanation

Attaching an IAM policy that follows the principle of least privilege directly to IAM groups is the standard, most secure method for granting permissions to users within those groups. IAM roles cannot be directly attached to IAM groups, which makes options B and D incorrect. Service Control Policies (SCPs) are used to restrict maximum permissions at the organization or account level, rather than granting specific permissions to IAM groups, making option A incorrect.