Which additional action is the MOST secure way to grant permissions to the new users?
Apply service control policies (SCPs) to manage access permissions
Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions
Explanations:
Service Control Policies (SCPs) are used to manage permissions for accounts in an AWS Organization, but they do not directly grant permissions to individual users or IAM groups. SCPs are more about governing and restricting what actions can be performed across the organization rather than assigning permissions to users.
While creating IAM roles with least privilege permissions is a good practice, simply attaching roles to IAM groups does not grant permissions directly to users. IAM roles are meant to be assumed by entities, rather than assigned directly, making this approach less secure for managing user permissions.
Creating an IAM policy that grants least privilege permissions and attaching it to IAM groups is a secure and effective way to manage permissions for new users. This allows for centralized management of permissions based on group membership, ensuring that users only have the access necessary for their roles.
Associating IAM roles with a permissions boundary can help define maximum permissions but does not directly assign permissions to users. Permissions boundaries are used to set limits on the permissions that an IAM role can have, which complicates user permission management without directly granting necessary access.