What is the MOST efficient way to design an architecture to meet these requirements?
Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
Explanations:
This option allows the procurement manager role to have PowerUserAccess, which may not restrict other users effectively. Additionally, applying inline policies to every IAM user and role could lead to management overhead and potential inconsistencies across accounts. Denying access at this level does not ensure only the procurement manager has the necessary administrative access.
While this option suggests using a permissions boundary to restrict access, assigning AdministratorAccess to the procurement-manager-role allows excessive privileges beyond just managing Private Marketplace. This could lead to security risks as it grants broad permissions rather than focusing solely on the necessary access.
This option effectively restricts administrative access to Private Marketplace by granting only the procurement-manager-role the necessary permissions. The use of Service Control Policies (SCPs) ensures that no other user can administer the Private Marketplace, while preventing the creation of additional roles that could bypass this restriction.
Although this option creates a role with the correct permissions, applying the SCP only to shared services accounts may not enforce the restriction organization-wide. Developers in other accounts might still be able to administer the Private Marketplace if not properly restricted by SCPs, which would not meet the requirement of limiting access solely to the procurement-manager-role.
In my opinion, the answer is:
Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.