How should the Security team configure the environment to ensure that the interns are self-sufficient?

By:
In: SAP-C01
Tagged:
With: 1 Comment
The Security team needs to provide a team of interns with an AWS environment so they can build a serverless video transcoding application.The project will useAmazon S3, AWS Lambda, Amazon API Gateway, Amazon Cognito, Amazon DynamoDB, and Amazon Elastic Transcoder.The interns should be able to create and configure the necessary resources, but they may not have access to create or modify AWS IAM roles.The SolutionsArchitect creates a policy and attaches it to the interns’ group.

How should the Security team configure the environment to ensure that the interns are self-sufficient?

Create a policy that allows creation of project-related resources only. Create roles with required service permissions, which are assumable by the services.

Create a policy that allows creation of all project-related resources, including roles that allow access only to specified resources.

Create roles with the required service permissions, which are assumable by the services. Have the interns create and use a bastion host to create the project resources in the project subnet only.

Create a policy that allows creation of project-related resources only. Require the interns to raise a request for roles to be created with the Security team. The interns will provide the requirements for the permissions to be set in the role.

Explanations:

This is the correct approach. By creating a policy that allows the interns to create project-related resources (S3 buckets, Lambda functions, API Gateway APIs, DynamoDB tables, Elastic Transcoder pipelines, Cognito user pools), and pre-creating IAM roles with the necessary permissions for those resources to function (e.g., a Lambda execution role, a role for API Gateway to invoke Lambda, etc.), the interns can deploy and run their application without needing to create or modify IAM roles themselves. This adheres to the principle of least privilege and fulfills the requirement that interns cannot create or modify roles.

This directly contradicts the requirement that interns maynotcreate or modify IAM roles. Allowing them to create roles would give them excessive privileges and violate security best practices.

Using a bastion host doesn’t solve the core issue of IAM permissions. Even if the interns used a bastion host, they would still need appropriate IAM permissions to create the resources. This option introduces unnecessary complexity and doesn’t address the requirement of preventing interns from managing IAM roles. Additionally, limiting them to a single subnet doesn’t prevent them from creating resources in other services or modifying resources they shouldn’t.

This creates an inefficient workflow. Requiring interns to submit requests to the Security team for every role they need would significantly slow down development and create a bottleneck. It also contradicts the goal of making the interns self-sufficient. Pre-creating the necessary roles is a much more efficient and scalable solution.

2025-10-03

1 Comment

  1. Thomas
    Author

    I systematize that the answer is:
    Create a policy that allows creation of project-related resources only. Create roles with required service permissions, which are assumable by the services.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 5 =