Amazon Exam SCS-C01 Topic 3 Question 62 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 62
Topic #: 3

A company has an application hosted in an Amazon EC2 instance and wants the application to access secure strings stored in IAM Systems Manager Parameter Store When the application tries to access the secure string key value, it fails.

Which factors could be the cause of this failure? (Select TWO.)

AThe EC2 instance role does not have decrypt permissions on the IAM Key Management Sen/ice (IAM KMS) key used to encrypt the secret

BThe EC2 instance role does not have read permissions to read the parameters In Parameter Store

CParameter Store does not have permission to use IAM Key Management Service (IAM KMS) to decrypt the parameter

DThe EC2 instance role does not have encrypt permissions on the IAM Key Management Service (IAM KMS) key associated with the secret

EThe EC2 instance does not have any tags associated.

Show Suggested Answer

Suggested Answer: D

To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:

Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles. For more information, see Service control policies overview.

Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. For more information, see Permissions boundaries for IAM entities.

Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization. This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.

Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.

This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.

The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible .

Verified Reference:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

by Jules at May 31, 2024, 10:27 PM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Malcom

10 months ago

Option C? More like 'See ya later, operational overhead!' Putting each account in its own OU? That's overkill, even for a company with 1,000 accounts.

upvoted 0 times

...

I think option D is the best solution. It limits the scope of IAM roles and prevents privilege escalation.

upvoted 0 times

...

11 months ago

I agree, option D seems like the most efficient solution.

upvoted 0 times

...