AWS Certified Solutions Architect – Associate (SAA-C03) — Question 754

A solutions architect is designing an AWS Identity and Access Management (IAM) authorization model for a company's AWS account. The company has designated five specific employees to have full access to AWS services and resources in the AWS account.

The solutions architect has created an IAM user for each of the five designated employees and has created an IAM user group.

Which solution will meet these requirements?

Answer options

• A. Attach the AdministratorAccess resource-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
• B. Attach the SystemAdministrator identity-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
• C. Attach the AdministratorAccess identity-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.
• D. Attach the SystemAdministrator resource-based policy to the IAM user group. Place each of the five designated employee IAM users in the IAM user group.

Correct answer: C

Explanation

To grant complete administrative access to AWS services, the AWS-managed 'AdministratorAccess' policy must be used. Because IAM user groups only support identity-based policies (and not resource-based policies), attaching the 'AdministratorAccess' identity-based policy to the group is the correct approach. The 'SystemAdministrator' policy is not an AWS-managed policy designed for full administrative access.