What is the MOST efficient way to design an architecture to meet these requirements?
Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
Explanations:
While this option creates the required IAM role and adds the necessary permissions, applying an inline policy to deny access to theAWSPrivateMarketplaceAdminFullAccessmanaged policy for all other users and roles across every AWS account complicates management and may lead to inconsistent permissions if not properly maintained. Additionally, PowerUserAccess does not grant sufficient administrative capabilities specifically for managing the Private Marketplace.
This option provides excessive permissions by attaching theAdministratorAccesspolicy to the procurement-manager-role. Using a permissions boundary with theAWSPrivateMarketplaceAdminFullAccessmanaged policy is not applicable to this situation as it applies only to the users directly, and it doesn’t effectively restrict administrative access to the Private Marketplace for non-procurement roles.
This option properly restricts administrative access to the Private Marketplace by creating the procurement-manager-role only in shared services accounts and applying a service control policy (SCP) at the organization root level to deny access to the Private Marketplace for everyone except the procurement-manager-role. It also prevents the creation of the role by enforcing the SCP, ensuring that only the designated role can manage the Private Marketplace, which aligns perfectly with the company’s requirements.
This option creates the IAM role in accounts used by developers rather than in shared services accounts, which is not ideal. Additionally, it includes an SCP to restrict access, but without clearly defining that only the procurement-manager-role can manage the Private Marketplace, it may not effectively enforce the intended restrictions. This could lead to confusion and insufficient management capabilities for the procurement team.