Amazon Exam DOP-C01 Topic 2 Question 89 Discussion

Actual exam question for Amazon's DOP-C01 exam

Question #: 89
Topic #: 2

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

AAttach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.

BAttach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.

CCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.

DCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.

Show Suggested Answer

Suggested Answer: B

by Edna at Apr 09, 2024, 05:53 AM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Chuck

4 hours ago

That's a good point. Option A does seem like the most reliable and straightforward solution. It's also more preventative than the EventBridge approach, which could still allow some unauthorized users to be created before they're deleted.

upvoted 0 times

...

Pok

4 hours ago

Can we just agree that any solution involving deleting users after the fact is a terrible idea? That's like trying to catch a speeding bullet with your bare hands.

upvoted 0 times

...

Dorsey

1 days ago

I think Option A is the way to go. By using an SCP with a condition that excludes the exception list, we can effectively block the iam:CreateAccessKey action for all non-authorized users. This way, we don't have to worry about race conditions or other potential issues.

upvoted 0 times

...

Becky

2 days ago

I don't know, guys. Wouldn't Option B be simpler since we only need to worry about creating new users, not access keys? Plus, it's more direct - no need for fancy EventBridge rules or Lambda functions.

upvoted 0 times

...

Dick

2 days ago

I agree, this is a complex scenario. We need to make sure the solution not only meets the requirements but also doesn't introduce any unintended consequences.

upvoted 0 times

...

Dottie

3 days ago

This question is a bit tricky. We need to carefully consider the requirements and the options provided to find the best solution.

upvoted 0 times

...

Norah

3 days ago

Yeah, those options are way too complicated. Why go through all that trouble when you can just use an SCP to explicitly deny the actions you don't want? I vote for Option A.

upvoted 0 times

...

Tasia

4 days ago

Ha! I like how Option C and D try to be sneaky and delete the user after they've been created. Talk about a band-aid on a bullet wound!

upvoted 0 times

...

Mertie

6 days ago

I'm not so sure about that. Option B only denies the CreateUser action, but we also need to prevent new access keys from being created. I think Option A might be a better solution since it covers both CreateUser and CreateAccessKey.

upvoted 0 times

...

Lashon

8 days ago

This question seems pretty straightforward. I think Option B is the best answer here - we need to deny IAM users from being created unless they're on an exception list, and that's exactly what this option does.

upvoted 0 times

...