Which combination of steps will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company uses AWS Organizations to manage hundreds of AWS accounts.The company has a team that is responsible for AWS Identity and Access Management (IAM).The IAM team wants to implement AWS IAM Identity Center (AWS Single Sign-On).The IAM team must have only the minimum needed permissions to manage IAM Identity Center.The IAM team must not be able to gain unneeded access to the Organizations management account.The IAM team must be able to provision new IAM Identity Center permission sets and assignments for existing and new member accounts.

Which combination of steps will meet these requirements?

(Choose three.)

Create a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.

Create a new AWS account for the IAM team. In the Organizations management account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.

In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSODirectoryAdministrator managed IAM policy to the group.

In IAM Identity Center, create users and a group for the IAM team. Add the users to the group. Create a new permission set. Attach the AWSSSOMemberAccountAdministrator managed IAM policy to the group.

Assign the permission set to the Organizations management account. Allow the IAM team group to use the permission set.

Assign the permission set to the new AWS account. Allow the IAM team group to use the permission set.

Explanations:

Creating a new AWS account for the IAM team and enabling IAM Identity Center there helps isolate the IAM team from the Organizations management account. Registering this new account as a delegated administrator for IAM Identity Center allows the team to manage identity and access without compromising the management account.

Enabling IAM Identity Center in the Organizations management account does not meet the requirement of limiting access for the IAM team. This would allow them unnecessary access to the management account, which contradicts the requirement for minimum needed permissions.

While creating users and a group for the IAM team is a necessary step, attaching the AWSSSODirectoryAdministrator policy gives the IAM team excessive permissions over the IAM Identity Center. They would have more access than required, which does not align with the principle of least privilege.

Creating users and a group for the IAM team and attaching the AWSSSOMemberAccountAdministrator policy provides the necessary permissions for managing IAM Identity Center within member accounts without granting excess access to the management account, thereby adhering to the principle of least privilege.

Assigning the permission set to the Organizations management account allows the IAM team access to the management account, which they should not have. This violates the requirement to restrict access to the management account.

Assigning the permission set to the new AWS account for the IAM team enables them to manage IAM Identity Center permissions for member accounts effectively. This ensures they have the required permissions without access to the Organizations management account.

2025-10-08

1 Comment

  1. Christopher
    Author

    I judge that the answer is:
    Create a new AWS account for the IAM team. In the new account, enable IAM Identity Center. In the Organizations management account, register the new account as a delegated administrator for IAM Identity Center.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × four =