Amazon Exam DOP-C01 Topic 2 Question 89 Discussion

Actual exam question for Amazon's DOP-C01 exam

Question #: 89
Topic #: 2

A company's legacy application uses IAM user credentials to access resources in the company's AWS Organizations organization. A DevOps engineer needs to ensure new IAM users cannot be created unless the employee creating the IAM user is on an exception list.

Which solution will meet these requirements?

AAttach an Organizations SCP with an explicit deny for all iam:CreateAccessKey actions with a condition that excludes StringNotEquals for aws:username with a value of the exception list.

BAttach an Organizations SCP with an explicit deny for all iam:CreateUser actions with a condition that includes StringEquals for aws:username with a value of the exception list.

CCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateAccessKey action with an AWS Lambda function target. The function will check the user name account against an exception list. If the user is not in the exception list, the function will delete the user.

DCreate an Amazon EventBridge (Amazon CloudWatch Events) rule with a pattern that matches the iam:CreateUser action with an AWS Lambda function target. The function will check the user name and account against an exception list. If the user is not in the exception list, the function will delete the user.

Show Suggested Answer

Suggested Answer: B

by Edna at Apr 09, 2024, 05:53 AM

Limited Time Offer

25%

Off

Get Premium DOP-C01 Questions as Interactive Web-Based Practice Test or PDF

Comments

Submit Cancel

Mertie

1 days ago

I'm not so sure about that. Option B only denies the CreateUser action, but we also need to prevent new access keys from being created. I think Option A might be a better solution since it covers both CreateUser and CreateAccessKey.

upvoted 0 times

...

Lashon

3 days ago

This question seems pretty straightforward. I think Option B is the best answer here - we need to deny IAM users from being created unless they're on an exception list, and that's exactly what this option does.

upvoted 0 times

...