Which additional action is the MOST secure way to grant permissions to the new users?
Apply service control policies (SCPs) to manage access permissions
Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
Create IAM roles. Associate the roles with a permissions boundary that defines the maximum permissions
Explanations:
Service control policies (SCPs) are used to set permission boundaries for AWS Organizations, not for individual IAM groups or users, making them unsuitable for this scenario.
Attaching roles directly to groups is not possible in AWS IAM. Roles are typically used for temporary access and are assumed by users or services, not attached to IAM groups.
Creating an IAM policy with least privilege permissions and attaching it to IAM groups is the most secure and manageable way to grant permissions to users based on department.
Permissions boundaries set a maximum permission limit but do not grant permissions. Roles with boundaries do not directly address departmental access for new users effectively.
To the best of my knowledge, the answer is:
Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
If I had to guess, I’d say the answer is:
Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups