Which combination of changes in existing IAM policies should a Database Specialist make to prevent an error like this from happening in the future?
(Choose three.)
Grant least privilege to groups, users, and roles
Allow all users to restore a database from a backup that will reduce the overall downtime to restore the database
Enable multi-factor authentication for sensitive operations to access sensitive resources and API operations
Use policy conditions to restrict access to selective IP addresses
Use AccessList Controls policy type to restrict users for database instance deletion
Enable AWS CloudTrail logging and Enhanced Monitoring
Explanations:
Granting least privilege ensures that users have only the necessary permissions to perform their required tasks, reducing the risk of accidental deletions.
Allowing all users to restore a database could increase the potential for mistakes. Only specific roles should have this permission to limit the impact of errors.
Enabling MFA for sensitive operations adds an extra layer of security to prevent unauthorized actions, such as accidental deletions of databases.
Restricting access to specific IP addresses ensures that only trusted locations can perform sensitive actions, reducing the risk of unintentional errors.
AWS does not have an “AccessList Controls” policy type. The correct approach would be to use IAM policies to limit permissions related to deletion.
While enabling AWS CloudTrail logging and Enhanced Monitoring is good for auditing, it does not directly prevent accidental deletions or restrict permissions.
I rank that the answer is:
Grant least privilege to groups, users, and roles
From my perspective, the answer is:
Grant least privilege to groups, users, and roles