How should a solutions architect address this issue?
Create an Amazon SNS topic to send an alert every time a developer creates a new policy.
Use service control policies to disable IAM activity across all accounts in the organizational unit.
Prevent the developers from attaching any policies and assign all IAM duties to the security operations team.
Set an IAM permissions boundary on the developer IAM role that explicitly denies attaching the administrator policy.
Explanations:
Creating an SNS topic to alert on policy creation does not prevent developers from attaching the administrator policy; it only provides notifications after the action has occurred.
Using service control policies to disable IAM activity entirely would hinder all IAM operations, not just the attaching of policies by developers, which is not a practical solution.
Completely preventing developers from attaching any policies could limit their ability to experiment and develop effectively. Assigning all IAM duties to the security operations team creates bottlenecks and may not be sustainable.
Setting an IAM permissions boundary on the developer IAM role specifically denies the ability to attach the administrator policy, addressing the security concern while allowing developers the necessary flexibility.