AWS Certified DevOps Engineer – Professional — Question 153
A company has AWS accounts that are members of the same organization in AWS Organizations. According to the company's security policy, IAM customer managed policies must be scoped to specific actions and must not include wildcard actions on wildcard resources.
If an IAM customer managed policy is created or modified in any of the company's AWS accounts to grant wildcard actions on resources that also specify wildcards, the policy must be detached from any IAM user, role, or group that the policy is attached to Individual AWS account administrators must not be able to prevent the removal of the policies.
Which combination of steps will meet these requirements? (Choose two.)
Answer options
- A. Configure automatic remediation to run the AWSConfigRemediation-DetachIAMPolicy AWS Systems Manager Automation runbook.
- B. Configure automatic remediation to invoke a custom AWS Lambda function to detach the IAM policy from the affected resources.
- C. Configure automatic remediation to use AWS Systems Manager Run Command to detach the IAM policy from the affected resources.
- D. Turn on AWS Config by using an AWS CloudFormation stack set that is created in a central account. Configure automatic deployment for the stack set, and specify the organization as the target. Configure the iam-policy-no-statements-with-full-access AWS Config managed rule in the central account.
- E. Turn on AWS Config for the organization. Create a new AWS account. Configure the account as a delegated administrator account for AWS Config. Configure the iam-policy-no-statements-with-full-access AWS Config managed rule in the delegated administrator account.
Correct answer: A, D
Explanation
Option A is correct as it directly automates the detachment of non-compliant IAM policies through a predefined runbook, ensuring compliance. Option D is also correct as it sets up AWS Config across the organization, allowing for centralized management and automatic application of the needed rules. The other options either do not meet the requirements or involve manual processes that could allow administrators to bypass the policy removal.