A security engineer must develop an AWS Identity and Access Management (IAM) strategy for a company's organization in AWS Organizations. The company needs to give developers autonomy to develop and test their applications on AWS, but the company also needs to implement security guardrails to help protect itself. The company creates and distributes applications with different levels of data classification and types. The solution must maximize scalability.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

A. Create an SCP to restrict access to highly privileged or unauthorized actions to specific IAM principals. Assign the SCP to the appropriate AWS accounts.

B. Create an IAM permissions boundary to allow access to specific actions and IAM principals. Assign the IAM permissions boundary to all IAM principals within the organization

C. Create a delegated IAM role that has capabilities to create other IAM roles. Use the delegated IAM role to provision IAM principals by following the principle of least privilege.

D. Create OUs based on data classification and type. Add the AWS accounts to the appropriate OU. Provide developers access to the AWS accounts based on business need.

E. Create IAM groups based on data classification and type. Add only the required developers’ IAM role to the IAM groups within each AWS account.

F. Create IAM policies based on data classification and type. Add the minimum required IAM policies to the developers’ IAM role within each AWS account.




 

Suggested Answer: ACE

Community Answer: ACD




This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.