AWS Certified Solutions Architect – Associate (SAA-C03) — Question 458

A company is expecting rapid growth in the near future. A solutions architect needs to configure existing users and grant permissions to new users on AWS. The solutions architect has decided to create IAM groups. The solutions architect will add the new users to IAM groups based on department.

Which additional action is the MOST secure way to grant permissions to the new users?

Answer options

• A. Apply service control policies (SCPs) to manage access permissions
• B. Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
• C. Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
• D. Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions

Correct answer: C

Explanation

To assign permissions to users within an IAM group, you must attach an IAM policy directly to that group while adhering to the principle of least privilege. IAM roles cannot be attached to IAM groups, making options B and D incorrect. Service control policies (SCPs) are used in AWS Organizations to set permission boundaries at the account level rather than granting permissions to specific IAM groups, making option A incorrect.