Amazon Exam DOP-C01 Topic 9 Question 94 Discussion

Actual exam question for Amazon's DOP-C01 exam

Question #: 94
Topic #: 9

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

AAttach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.

BAttach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.

CCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.

DCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.

Show Suggested Answer

Suggested Answer: B

by Genevive at Jun 02, 2024, 10:03 AM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Glory

6 months ago

Option C is interesting, but wouldn't it be simpler to just use an SCP to deny the IAM user creation action altogether? Less code to maintain, you know?

upvoted 0 times

...

Casandra

6 months ago

Haha, I'm picturing the non-exception list users trying to create IAM users and just getting a big fat 'DENIED!' Error message. Option B for the win!

upvoted 0 times

...

Rosenda

6 months ago

I agree with Genevive. Option D looks like the most flexible and dynamic solution. Plus, deleting the user if they're not on the exception list is a nice touch.

upvoted 0 times

Clarinda

6 months ago

Yeah, I agree. It seems like the most efficient solution.

upvoted 0 times

...

Myrtie

6 months ago

I think option D is the best choice here.

upvoted 0 times

...

Genevive

6 months ago

Hmm, I'm not sure about Option B. Wouldn't it be better to use an EventBridge rule to catch the IAM user creation event and handle it dynamically? That way, we don't have to maintain a static exception list.

upvoted 0 times

Kayleigh

6 months ago

I also think Option C is the way to go. It provides a more flexible solution for handling IAM user creation.

upvoted 0 times

...

Zena

6 months ago

A: Exactly, it would save us time and make the process more efficient.

upvoted 0 times

...

Vanda

6 months ago

B: Yeah, that could be a more dynamic solution. We wouldn't have to manually update the exception list.

upvoted 0 times

...

Yolando

6 months ago

A: I think Option C could work well. Using EventBridge to check against an exception list sounds like a good idea.

upvoted 0 times

...

Otis

6 months ago

I agree, Otis. Option C seems like a more dynamic approach compared to maintaining a static exception list with Option B.

upvoted 0 times

...

Antione

6 months ago

I think Option C might be a good solution. Using EventBridge to check against an exception list sounds efficient.

upvoted 0 times

...

Josphine

7 months ago

I disagree, I believe option A is better as it specifically denies the creation of access keys for IAM users not on the exception list.

upvoted 0 times

...

Juliann

7 months ago

Option B seems like the way to go. We need to explicitly deny IAM user creation for non-exception list users, and that's exactly what this option does.

upvoted 0 times