Amazon Exam DOP-C01 Topic 18 Question 84 Discussion

Actual exam question for Amazon's DOP-C01 exam

Question #: 84
Topic #: 18

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

AAttach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.

BAttach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.

CCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.

DCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.

Show Suggested Answer

Suggested Answer: B

by Talia at Dec 24, 2023, 10:41 AM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Chun

7 months ago

I think option C or D might be the way to go. Using an EventBridge rule to trigger a Lambda function that checks the user against an exception list seems like a more flexible solution. That way, we can control who can create IAM users without having to rely on the Organizations SCP.

upvoted 0 times

Viva

7 months ago

B: So, option C it is then?

upvoted 0 times

...

Erinn

7 months ago

A: Definitely, especially when it comes to managing user credentials and access to resources.

upvoted 0 times

...

Timothy

7 months ago

B: It's always good to have multiple layers of security in place.

upvoted 0 times

...

Ira

7 months ago

A: Exactly, it gives us more control without having to rely solely on the Organizations SCP.

upvoted 0 times

...

Karina

7 months ago

B: I agree, having that flexibility to control who can create IAM users is important.

upvoted 0 times

...

Lorita

7 months ago

A: I think option C is the best choice here because it involves using an EventBridge rule and Lambda function to check against an exception list.

upvoted 0 times

...

Francisca

7 months ago

Option B does sound like it might work, but I'm a bit concerned about the condition using StringEquals. Wouldn't that allow users on the exception list to create IAM users, but not anyone else? I feel like we need something more restrictive.

upvoted 0 times

...

Casey

7 months ago

Yeah, I'm a bit confused too. It's not entirely clear to me what the best solution would be. I'm leaning towards option B, but I'm not sure if that's the right approach.

upvoted 0 times

...

Victor

7 months ago

This question seems pretty tricky. I'm not sure if I fully understand the requirements, but it sounds like we need to find a way to restrict IAM user creation unless the user is on an exception list.

upvoted 0 times

...