AWS Certified Solutions Architect – Professional — Question 941

The Security team needs to provide a team of interns with an AWS environment so they can build a serverless video transcoding application. The project will use
Amazon S3, AWS Lambda, Amazon API Gateway, Amazon Cognito, Amazon DynamoDB, and Amazon Elastic Transcoder.
The interns should be able to create and configure the necessary resources, but they may not have access to create or modify AWS IAM roles. The Solutions
Architect creates a policy and attaches it to the interns' group.
How should the Security team configure the environment to ensure that the interns are self-sufficient?

Answer options

• A. Create a policy that allows creation of project-related resources only. Create roles with required service permissions, which are assumable by the services.
• B. Create a policy that allows creation of all project-related resources, including roles that allow access only to specified resources.
• C. Create roles with the required service permissions, which are assumable by the services. Have the interns create and use a bastion host to create the project resources in the project subnet only.
• D. Create a policy that allows creation of project-related resources only. Require the interns to raise a request for roles to be created with the Security team. The interns will provide the requirements for the permissions to be set in the role.

Correct answer: A

Explanation

Option A is correct because pre-creating the service roles allows the serverless resources (like Lambda) to assume them, enabling the interns to build their application without needing IAM creation permissions. Option B is incorrect because granting IAM role creation permissions violates the security constraint of the scenario. Options C and D are incorrect because a bastion host is irrelevant for serverless resource creation, and requiring manual support tickets prevents the interns from being self-sufficient.