Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company is designing a multi-account structure for its development teams.The company is using AWS Organizations and AWS Single Sign-On (AWS SSO).The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.

Which solution will meet these requirements with the LEAST operational overhead?

Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.

Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Explanations:

AWS SSO does not use service-linked roles for access control. Service-linked roles are used for AWS services to access other AWS services, not for user access.

Deactivating AWS STS in Regions does not restrict access to specific AWS services or specific Regions in a granular way. This does not meet the requirement.

SCPs (Service Control Policies) can restrict access to specific Regions and services across all AWS accounts in an AWS Organization, providing a scalable solution with minimal overhead.

Identity-based policies for AWS SSO would require manual configuration for each user or group in each account, leading to higher operational overhead than using SCPs.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + 15 =